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Abstract 

We consider the implementation of two-party cryptographic primitives based on the sole assumption 
that no large-scale reliable quantum storage is available to the cheating party. We construct novel 
protocols for oblivious transfer and bit commitment, and prove that realistic noise levels provide security 
even against the most general attack. Such unconditional results were previously only known in the so- 
called bounded-storage model which is a special case of our setting. Our protocols can be implemented 
with present-day hardware used for quantum key distribution. In particular, no quantum storage is 
required for the honest parties. 
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1 The noisy-storage model: definition and results 
1.1 Motivation: security from physical assumptions 

The security of most cryptographic systems currently in use is based on the premise that a certain computa- 
tional problem is hard to solve for the adversary. Concretely, this relies on the assumption that the adversary's 
computational resources are limited, and the underlying problem is hard in some precise complexity-theoretic 
sense. While the former assumption may be justified in practice, the latter statement is usually an unproven 
mathematical conjecture. In contrast, quantum cryptographic schemes are designed in such a way that 
they provide security based solely on the validity of quantum physics. No assumptions on the adversary's 
computational power nor the validity of some complexity-theoretic statements are needed. 

Unfortunately, not even the laws of quantum physics allow us to realize all desirable cryptographic 
functionalities without further assumptions [37j HH [39l [38l [45] . An example of such a functionality is (fully 
randomized) oblivious transfer, where Alice receives two random strings So, Si, while Bob receives one of 
the strings Sc together with the index C. Security for this primitive means that neither Alice nor Bob can 
obtain any information beyond this specification. A protocol which securely implements oblivious transfer 
is desirable because any two-party computation, such as secure identification, can be based on this building 
block [291 [23]. 

In light of this state of affairs, it is natural to consider other physical assumptions: Motivated by similar 
classical models UH [1^, the authors of [121 [H] and [BHl [121 [5S] propose to assume that the adversary's 
quantum storage is bounded and noisy, respectively. The assumption of bounded quantum storage deals 
with the noiseless case (but assumes a small amount of storage) , whereas the noisy-storage model deals with 
the case of noise (but possibly a large amount of storage). Here, we introduce a more general point of view 
which incorporates both the amount of storage and noise. We refer to this simply as the noisy-storage model. 
The previously considered settings are special cases, as we will explain below. 

Compared to the classical world, the assumption of limited and noisy quantum storage is particularly 
realistic in view of the present state of the art, and the considerable challenges faced when trying to build 
scalable quantum memories. Indeed, it is unknown whether it is physically possible to build noise free 
memories. Further motivation for considering noise as a resource for security over the mere assumption of 
bounded storage comes from the fact that the transfer of the state of a (photonic) qubit used during the 
execution of the protocol onto a different carrier used as a quantum memory (such as an atomic ensemble) 
is typically already noisy. At present, it is not even clear whether it is theoretically possible to close this gap 
in a quantum mechanical world, or if this transformation is inherently noisy. 
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1.2 Contribution and methods 

Here, we consider the noisy-storage model which was previously introduced in [SnilSSlISS] where it appeared in 
a slightly more specialized form. All previous security proofs in this model required additional assumptions 
beyond having noise. In particular, in the analysis of [62j . the adversary was restricted to performing 
individual attacks using product measurements on the qubits received in the protocol. This is a significant 
restriction as multi-qubit measurements are possible even today, and can be compared to an analysis of 
quantum key distribution [4] where the eavesdropper is restricted to measuring each qubit individually. We 
provide a fully general proof of security against arbitrary attacks that bit-commitment and oblivious transfer 
can be achieved in the general noisy-storage model which encompasses and extends all previously considered 
settings [121 [HI [SDl [Ml [SS]. As a side effect, we thereby also obtain significantly improved parameters for 
the special case of bounded storage. 

In order to obtain this result, we require a number of methods that have not been used before either in 
the noisy- or bounded-quantum-storage setting. 

• We formally relate the security of our protocols to the problem of sending information through the 
noisy-storage channel. This is very intuitive, and much more natural than previous approaches such 
as the restriction to individual attacks in the noisy-storage model [52] , or the assumption of bounded 
storage [12]. More specifically, we show that a sufficient condition for security is that the number 
of classical bits that can be sent through the noisy-storage channel is limited. We introduce our 
generalized model in Section [LB] and state our result in Section [L4l 

• We introduce a novel cryptographic primitive called weak string erasure (see Section [S]) that may be of 
independent interest. We provide a simple quantum protocol that securely realizes weak string erasure 
in the noisy-storage model, in which the honest parties do not require any quantum memory at all to 
execute the protocol. Our protocol can be implemented with present-day technology. In our security 
proof, we require information-theoretic tools such as the recently proven strong converse for channel 
coding [36] . 

• We construct new protocols for bit commitment and oblivious transfer based on weak string erasure, 
and prove security against arbitrary attacks. Our protocols are purely classical, merely using the simple 
quantum primitive of weak string erasure which is a conceptually appealing feature. We thereby make 
use of various techniques such as error-correcting codes, privacy amplification, interactive hashing and 
min-cntropy sampling with respect to a quantum adversary. 

Our work raises many immediate open questions, and has already sparked several other works which we 
discuss in Section |6l 

1.3 The noisy-storage model 

Let us now describe more formally what we mean by a noisy quantum memory. We think of a device whose 
input states are in some Hilbert space Tim- A state p stored in the device decoheres over time. That is, 
the content of the memory after some time i is a state J^t{p), where Tt : B{Hin) — >■ B{T-Lout) is a completely 
positive trace-preserving map corresponding to the noise in the memory. Since the amount of noise may 
of course depend on the storage time, the behaviour of the storage is completely described by the family 
of maps {J^t\t>o- We will make the minimal assumption that the noise is Markovian, that is, the family 
{•^t}t>o is a continuous one-parameter semigroup 

J'o = I and ^ti+t^ = o -7^*2 • (1) 

This tells us that the noise in storage only increases with time, and is essential to ensure that the adversary 
cannot gain any information by delaying the readout 0- This is the only restriction imposed on the adversary 

^This property is implicitly assumed in | 62| . 
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who may otherwise be all-powerful. In particular, we allow that all his actions are instantaneous, including 
computation, communication, measurement and state preparation. 

How can we hope to obtain security in such a model? In our protocol, we will introduce certain time 
delays At which force any adversary to use his storage device for a time at least At. Our assumptions imply 
that the best an adversary can do is to read out the information from the device immediately after time At, 
as any further delay will only degrade his information further. We can thus focus on the channel J- — J-At 
when analyzing security instead of the family {J"t}t>o- Note that since the adversaries actions are assumed 
to be instantaneous, he can use any error-correcting code even if the best encoding and decoding procedure 
may be difficult to perform. Summarizing, our model assumes that 

• The adversary has unlimited classical storage, and (quantum) computational resources. 

• Whenever the protocol requires the adversary to wait for a time At, he has to measure/discard all 
his quantum information except what he can encode (arbitrarily) into Hm- This information then 
undergoes noise described by J-. 

To see how previously analyzed cases fit into our model, note that the bounded-storage model corresponds 
to the case where Jiin is of limited input dimension, and J- is the identity on Hm. Concretely, |15| considers 
protocols with n qubits of communication and Hin = (C^)®"^" for some parameter v > which we call the 
storage rate. Security of certain protocols was established for i> < 1/4. Furthermore, the protocol proposed 
by Crepeau for oblivious transfer is secure if the adversary cannot store any quantum information at 
all, corresponding to a storage rate of = 0. Previous work on the noisy-storage model 62 analyzed 
protocols with n qubits of communication, where the noise T = A/"®" is an n-fold tensor product of a noisy 
single-qubit channel : ^(C^) ^(C^) (i.e.. Urn = (C^)®" and v = 1). Note, however, that in 62 the 
adversary was further restricted to performing product measurements on the qubits received in the protocol 
(albeit otherwise fully arbitrary). 

1.4 Main result 

We now state our main result of establishing security in the noisy-storage model against fully general attacks 
for arbitrary channels : B{'Hin) — > B{'Hout)- As explained, we form a very natural relation between the 
security of our protocols and the problem of transmitting information through the noisy-storage channejl. 
More specifically, we prove that a sufficient condition for security is that the number of classical bits that 
can be sent through the noisy storage-channel is limited. 

As usual in cryptography, we would like to compare the adversary's resources to those of the honest 
parties and/or the complexity of operations used in the protocol. Here we parametrize these by the number 
n of qubits transmitted during the protocol. For the adversary's storage, we therefore consider a family 
{ of storage devices. The quality of the adversary's storage can then be measured (for a fixed n) by the 
following operational quantity: the success probability of correctly transmitting a randomly chosen ni?-bit 
string X £ {0, 1}"^ through the storage device F, which can be written as 



where the maximum is taken over families of code states {px}x£{o,i}'^'^ on. T-Lm and decoding POVMs 
{^i}xe{o,i}"« on T-Lout- We show that security can be obtained for arbitrary channels with the property 
that the decoding probability decays exponentially above a certain threshold: 

Theorem 1.1 (Informal statement). Suppose that for the family of channels {F}n o,nd the constant < 
R < 1/2 there exist constants no > and 7 > such that for all n> uq the decoding probability satisfies 




a:e{0,l}"-" 



(2) 




{nR) < 2-^' 



"n 



(3) 



^The communication problem is equivalent to storing the string, and later trying to read it from the device. 
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Then oblivious transfer and hit commitment can he implemented using 0{n) qubits of communication against 
an adversary whose noisy storage is descrihed hy the family {J-"}„. Moreover, the security is exponential in n. 

Remarkably, the statement of Theorem 11.11 does not require any knowledge of the channel T beyond its 
relation to the coding problem. In particular, we do not need to assume that T is of tensor product form. 
This includes for example the practically interesting case where errors are likely to occur in bursts in the 
storage device, or the noisy channel itself has memory. We discuss possible extensions and limitations of our 
approach in Section |6l We point out that the length of the input strings used in oblivious transfer and bit 
commitment per communicated qubit depends on the exponent 7 in ([3]); this is hidden in the constant in 
the 0-expression in Theorem ll.il 

Determining the constant 7 is of course no easy task for arbitrary storage devices. To obtain explicit 
security parameters, we thus proceed to consider the special case where the channels are of the form T = 
j^(g>un -^j^gj-g ji jg number of qubits sent in the protocol, and ^ > is the storage rate. Our proof 
connects the security of protocols in the noisy-storage model for such channels to the classical capacity CV 
of A/". This provides a quantitative expression of our intuition that noisy channels which are of little use for 
classical information transmission give rise to security in the noisy-storage model. First of all, observe that 
there can only exist a constant 7 > leading to the exponential decay of ([3]) if the classical capacity Cjs/ 
of the channel is strictly smaller than the rate R at which we send information through the channel. This, 
however, is not sufficient, since R > Cjs/ is not generally known to imply ([3|) for = A/"**". We are therefore 
interested in channels which satisfy the following strong- converse property: The success probability ([2]) 
decays exponentially for rates R above the capacity, i.e., it takes the form 

PfuccinR) <2~''-'^^^'^ where 7-^(7?) > for all i? > CaA- (4) 

In [36], property (Hj) was shown to hold for a large clasf[f| of channels, including the depolarizing channel 
(see ([5]) below). It was also shown how to compute [R). Combining Theorem 1 1 . 1 1 with (|4]), we obtain the 
following statement: 

Corollary 1.2 (Informal statement). Let v > Q, and suppose that f\f satisfies the strong- converse prop- 
erty dl. // 

Cat -ly < - , 

then ohlivious transfer and hit commitment can he implemented with polynomial resources (in n) and ex- 
ponential security against an adversary with noisy storage T = j^^vn ^ p^j, gpg^i^i ^ase of hounded 
(noise-free) qubit storage (CV — ^) ihis gives security for v < 1/2. 

An important example for which we obtain security is the d-dimensional depolarizing channel Mr ■ 
BiC^) BiC^) defined for d > 2 as 

Afrip) '■= rp + (1 — r)— for some fixed < r < 1 , (5) 
d 

which replaces the input state p with the completely mixed state with probability 1 — r. For d = 2, this 
means that the adversary can store vn qubits, which are affected by independent and identically distributed 
noise. It has been shown that the depolarizing channel exhibits the strong-converse property [36] . To see 
for which values of r we can obtain security, we need to consider the classical capacity of the depolarizing 
channel as evaluated by King [21]. For d = 2, i.e., qubits, it is given by 

„ 1 + r, 1 + r 1-r, 1 — r 

Ca.. = 1 + ^log^ + ^log^ . 

Figure [T] shows the region in the (r, i/)-plane corresponding to the noise channel J- — A/"®"^", where we 
allow n qubits of communication in the protocol. This is obtained from Corollary 11.21 (The depolarizing 
channel Afr satisfies the corresponding conditions) . 

^The result of [36] applies to channels with certain covariance properties and additive minimum output o-Renyi entropy. 
Examples are all unital qubit channels, the Werner-Holevo channel and the depolarizing channel. 
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Figure 1: Our results applied to depolarizing noise T — N®^"^: The vertical axis represents the noise 
parameter r, while the horizontal axis represents the storage rate v. Our protocols are secure when the pair 
(r, v) is in the lower region bounded by the solid blue curve. Security is still possible in the region labeled 
with '?', but cannot be obtained from our analysis. 



Comparison to the bounded-storage model: depolarizing noise 

It was previously observed [53^ that the case of depolarizing storage noise (i.e., r < 1) can be dealt with 
using results obtained in the bounded-storage model (i.e., r = 1) when the noise is sufficiently strong. More 
precisely, the results of P[5] can be extended to give non-trivial statements if the "effective" dimension of the 
storage system to be less than n/4, where n is the number of qubits communicated in the protocol 0. We 
sketch such a simple dimensional analysis to illustrate that our model offers significant improvements over 
the bounded-storage analysis: we obtain security even at lower noise levels and higher storage rates. 




Previous work ~ ~ ~ _ _ 

0.2 1 I' 

0.2 0.4 0.6 0.8 1.0 



Figure 2: Security for depolarizing noise parameters (1,;^) with v < l/A was established in the bounded- 
storage model (BSM). Our simple argument Our more refined protocols and analysis give significantly im- 
proved parameters of < 1/2 for the bounded-storage model, for which the same argument extends security 
to the region bounded by the green dot-dashed curve. However, our work still extends this region even 
further by considering noisy instead of merely bounded storage (solid blue curve). We stress that such a 
nai've dimensional analysis does not apply to other channels (such as the Two-Pauli channel), while our more 
refined analysis gives results even in such cases. 

Concretely, consider the noise channel F = N®""" : ^((C^)®''") ^ ^((C^)®''") (cf. (P for d = 2). 
''We compare the randomized oblivious transfer protocol of il5i to our protocol based on weak string erasure. 
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Applying depolarizing noise to any of the vn systems means that the state on this system is replaced 
by the completely mixed state with probability 1 — r. We can think of an indicator random variable 
E'^" = {El, . . . ,E,jn) G {0, l}'^", where Ei is 1 if and only if the i-th qubit is replaced by the completely 
mixed state. These "erasure" variables are independent and identically distributed Bernoulli variables with 
parameter r = PEi{0). In particular, the number of erasures 

is distributed according to the binomial distribution with vn trials, each of which succeeds with probability 
1-r. 

We now assume that the adversary is given the location of the erasures E''^" in addition to the output of 
the channel. Note that this can only make the adversary more powerful. Conditioned on the locations £''^", 
the "effective dimension" of his channel is equal to 2"^""!^ L Hence, we may think of an "effective" storage 
rate i/cg given by the random variable 

VeS = V . 

n 

We know from the bounded storage model analysis that for j^cff < -j, the previously studied protocols 
provide security. Overall, we therefore conclude that security can be obtained from the noisy channel T 
if Pr[i'cff > |] is exponentially small. Note that by Chernoff's inequality 

Prfz^cff > -] = Pr[|£:''"| < (1 < e"''*'/2 jf 5 = J_:i^ > q , where = - r) . 
4 4i^(l — r) 

In particular, we conclude that we obtain security for 

vr <-. (6) 

4 

Figure [2] compares the curve of this equation ([6]) to the results we will derive below. We see that for the 
noiseless case (r ~ 1), our analysis provides security for storage rates v < 1/2, extending previous results (i.e., 
< 1/4 in [15j ) in the bounded-storage model. This improvement stems from the fact that (for oblivious 
transfer) our protocol uses a different classical post-processing based on interactive hashing instead of the 
min-entropy splitting tool of [T3] . Note that this requires additional rounds of classical communication. 

One may wonder whether a security proof may alternatively be obtained based on the idea of simulating 
the storage noise J-' — A/'®''" using a limited number of qubits. For channels without memory, the quantum 
reverse Shannon theorem [S] tells us that T can be simulated using a certain number of (noise-free) qubits 
when the sender and receiver share entanglement. Hence the total size of the system consisting of the 
noise- free qubits and the entanglement is rather large. However, as explained in [5], the theorem implies an 
exponential decay of the decoding probability as in (|4]) , but only for rates R greater than the entanglement- 
assisted capacity of the channel Af. Our security results thus extend to this regime by our new analysis 
from this paper. Since the latter is greater than the unassisted capacity in general, this suggests that 
such a simulation-based approach is generally suboptimal: we are essentially overestimating the adversary's 
capabilities by allowing him to use (noise- free, time-like) entanglement. 

Let us give a simple concrete example that provides some intuition on why bounding the adversary's 
information by the size of his storage device is generally undesirable. Imagine that the adversary's channel 
replaces the n input qubits by a fixed state with overwhelmingly high probability and leaves the input 
untouched with negligible probability 2~". Clearly, the number of noise-free qubits required to simulate this 
channel is equal to n, yet the adversary's decoding probability will be exponentially small. Simply bounding 
the adversary's information gain in terms of his storage as in the bounded-storage analysis [l^ therefore 
significantly overestimates his abilities H 

^ One may argue that this example is artificial, and can easily dealt with by "smoothing" : the channel is exponentially close 
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1.5 Techniques: weak string erasure 

Before describing our protocols and proving Theorem ll.li we give a short overview of the techniques involved. 

First, we introduce a primitive called weak string erasure, which may be of independent interest. Our 
protocols for oblivious transfer and bit commitment are then based on this primitive. Weak string erasure 
provides Alice with a random bit-string X" G {0, 1}", while Bob receives a randomly chosen substring Xx — 
{Xi-^ , . . . , Xi^), together with the index set I = {ii, . . . , specifying the location of these bits. Security of 
weak string erasure roughly means that Bob will remain ignorant about a significant amount of information 
about X", while security against Alice means that she does not learn anything about I (for a precise 
definition, we defer the reader to Section [3]). 

We provide a protocol for weak string erasure in the noisy-storage model. This protocol can be imple- 
mented with present-day hardware used for quantum key distribution. In particular, it does not require the 
honest parties to have any form of quantum memory. We prove security of this protocol for channels T as 
stated in Theorem ll.il Security against (even an all-powerful) Alice follows from the fact that the protocol 
only involves one-way communication from Alice to Bob. The security analysis in the presence of a mali- 
cious Bob limited by storage noise T is more involved. Our proof combines an entropic uncertainty relation 
involving post-measurement information [TJ 115) with a reformulation of the problem as a coding scheme: 
Essentially, the uncertainty relation implies that with high probability (over measurement outcomes), Bob's 
classical information about X^ before using his storage is limited. We then show that this implies that any 
successful attacker Bob needs to encode classical information at a high rate into his storage device. However, 
the assumed noisiness of precludes this. 

Having built a protocol for weak string erasure, we proceed to present protocols for bit commitment and 
oblivious transfer. The case of bit commitment is particularly appealing: It is essentially only based on 
weak string erasure and a classical code, and requires little additional analysis. Our approach to realizing 
oblivious transfer is somewhat more involved: Here weak string erasure is combined with a technique called 
interactive hashing |52j . The output of interactive hashing is a pair of substrings of X, one of which is 
completely known to Bob, while he only has partial knowledge about the other. Privacy amplification [SO] 
is then used to extract completely random bits. The security analysis of this protocol requires the use of 
entropy sampling with respect to a a quantum adversary [32| . 

As as side remark, note that Kilian [29j showed that oblivious transfer is universal for secure two-party 
computation. In particular, bit commitment could be built from oblivious transfer, but this reduction is 
generally inefScient. 

2 Tools 

We briefly introduce all necessary notation as well as several important concepts we will need throughout the 
paper. For weak string erasure we require the notion of min-entropy fSection I2.2.ip . uncertainty relations 
fSection l2.2.3p . as well as an understanding of how storage noise leads to information loss for the cheating 
party fSection 12. 3p . In our protocols for bit-commitment and oblivious transfer from weak string erasure, 
we additionally require the concepts of smooth min-entropy (Section [2.2.2p and secure keys (Section [2.2.4p 
respectively, and a number of tools, namely privacy amplification (Section I2.4.ip . sampling of min-entropy 
(Section 12. 4. 2p . and finally interactive hashing (Section 12. 4. 4p . 

to one which can be simulated with no qubits at all. More complex examples exist even classically: Imagine the adversary has 
some information B about a randomly chosen n-bit classical string X, where B is the result of sending the string X through a 
classical channel that outputs the first i G {1, . . . , n} bits of X with probability pi = 2~' for i < n and pi = 2 - 2~' for i = n. In 
cryptography the adversary's information is measured in terms of the min-entropy }ioo{X\B) = n — log(l/(n + l)). Furthermore, 
Ho{B) = log rank(_B) = n and for even for a small smoothing parameter e = 2~*, one still has Hq(B) > n — log(l/e). Knowing 
the size of B only gives us the trivial bound }ioc(X\B) > Hoo(^) — Ha(B) = 0, although the conditional min-entropy is almost 
maximal. 
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2.1 Notation 

For an integer n, let [n] :— {1, . . . , n}. We use 2["1 := {5 | 5 C [n]} to refer to the set of all possible subsets 
of [n], including the empty set 0. For an n-tuple a;" = (xi, . . . ,a;„) G A"" over a set A" and a (non-empty) 
set I = . . . , i^} G 2["1, we write xj for the subtuple a;x = (a^ii , ■ • ■ , a;if ) € X^. 

We use upper case letters to denote a random variable X distributed according to a distribution Px 
over a set X, and use lower case letters x for elements x G X. Joint distributions of e.g., three random 
variables {X,Y,Z) on X x y x Z are denoted by Pxyz- Given a function f : X —>■ y, any distribution 
Px of a random variable X gives rise to another jointly distributed random variable Y = .f{X): The joint 
distribution PxY = Px f(x) is given by 

Pxf{x){x,y) = Px(a;)(5/(^)^y , (7) 

where 5i,j is the Kronecker symbol. An important example is the case where X" € {0, 1}" is a random 
bitstring and X S 2l"'l is a random subset of [n], where X" and I have joint distribution Px^i- In this case, 
the joint distribution Px^iz = Px^xXx describes e.g., a situation where some bits Z — Xx of a string X" 
are given, together with a specification I of where these bits are located in the original string. 

We use B{'H) to denote the set of bounded operators on a Hilbcrt space T-L. A (quantum) state is a 
Hermitian operator p S B{T-L) satisfying tr(p) = 1 and p > 0. Quantum states can be used to encode classical 
probability distributions: for a (finite) set X , we fix a Hilbert space Hx — (C''*') and an orthonormal basis 
{\x} \ X G X} of Hx- This will be referred to as the computational basis. A probability distribution Px on 
X can then be encoded into the classical state (c-state) 

xex 

Of particular interest is the uniform distribution over X , which gives rise to the completely mixed state on 
7ix denoted by the shorthand 

States describing classical information (random variables) and truly quantum information simultaneously 
are termed classical-quantum or cq-states. They are described by bipartite systems, where the classical part 
of the state is diagonal with respect to the computational basis. Concretely, let Hq be an additional Hilbert 
space. A state pxQ on Hx ^ 'Hq is a cq-state if it has the form 

In other words, such a state pxQ encodes an ensemble of states {Px{x), Px}x£X on Hq, where p^ is the 
conditional state on Q given X = x. The notion of cq-states directly generalizes to multipartite systems, 
where classical parts are diagonal with respect to the computational basis. We often fix an ordering of the 
multipartite parts, and indicate by c or g whether a part is classical or quantum. We can also apply functions 
to classical parts as before. For a function f : X y, 

Pxf{x)Q^ Pxf{x)ix,y)\x){x\®\y){y\(g)^ (9) 

fey Q 

is the ccq-state encoding the pair {X, f{X)) of classical random variables (cc) distributed according to ([7]) as 
well as the quantum information Q (q) (which depends only on X in this case). Note that in the systems 
on the rhs. are uniquely determined by the expression on the Ihs. We will therefore omit the braces below. 
Given a state PQ1Q2 on systems Qi and Q2, we also use pg^ ~ ^fQ2{PQiQ2) to denote the state obtained by 
tracing out Q2- 
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The Hadamard transform is the unitary described by the matrix 

in the computational basis {|0) , |1)} of the qubit Hilbert space C^. For the n-qubit Hilbert space, we let 

H'" := H"' \xi) (g>...(g,H'- \xn) for a;" = (xi, . . . ,x„), r = (^i, . . . ,0„) G {0, 1}" . 

We also call states of this form BB84-states. 

Finally, we need a distance measure for quantum states on a Hilbert space 1-L. We use the distance 
determined by the trace norm := trV A'^ A for bounded operators A £ B{H). We will say that two 

states p, cr e B{J-L) are e-close if — cr|| i < e, which we also write as 

p cr . 

2.2 Quantifying adversarial information 
2.2.1 Min-entropy and measurements 

One of the main properties of the weak string erasure-primitive is that the adversary's (quantum) informa- 
tion Q about the generated bit-string X is limited. To make this statement precise, we first need to introduce 
an appropriate measure of information. Throughout, we are interested in the case where the adversary holds 
some (possibly quantum) information Q about a classical random variable X. This situation is described by 
a cq-state pxQ as in ([8]). A natural measure for the amount of information Q gives about X is the maximal 
average success probability that a party holding Q has in guessing the value of X. For a given cq-state pxQ, 
this guessing probability can be written as 

Pguess 

{X\Q) := max 

fx 

X 

where the maximization is over all POVMs {Dx}x^x on T-Lq. It will be convenient to turn (fTO|) into an 
conditional entropy-like quantity, called the min-entropy^ which is given byH 

Hoo(^lg) -.^ ~\0gPguess{X\Q) . (11) 

Note that the min-entropy was originally defined [49^ for arbitrary bipartite states pab, as we will discuss 
in more detail below. 

As an illustrative, yet important, example consider the following ccq-state on T-Lx ® T~Lq (E) Hq = (C^)®^ 

PXBQ^I E \x){x\®\0){e\®H'>\x){x\HO (12) 
x.ee{o.i} 

This state arises when encoding a uniformly random bit X using either the computational basis (G = 0) or 
the Hadamard basis (Q — 1) chosen uniformly at random. Clearly, we have 

Hoo(X) = l, Hoo(X|e) = l and H^(A|Qe) = , 

where the last identity is a consequence of the fact that given 9 = 6', the operation can be undone, such 
that a subsequent measurement in the computational basis provides X with certainty. Note that this is a 
special case of the identity 

Hoo(X|ge) = -log E [2-H~(^IQ'e=e)l ^ (13) 



^AU logarithms are taken to base 2. 
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for a general cq-state pxQe with classical part 0, where Ee^Pe denotes the expectation value over the choice 
of 8, and lloo{X\Q, G = 6') is the min-entropy of the conditional state 

Px\Q,e=e^ Px\e=eix)\x){x\®H'\x){x\H' . 

Returning to the state (|12p . it can also be shown [P that 

2.2.2 Smooth min-entropy 

When building oblivious transfer from weak string erasure, we will need to employ a more general definition 
of the min-entropy given in 49 . For arbitrary (not necessarily unit-trace, or cq) bipartite density operators 
Pab this quantity is defined as 

Hoo(A|B)p ^ -loginf {tr(crs) | dij > and pab < Ia®(Jb} , (14) 

where we use the subscript p to indicate what state the quantity refers to. In [34], it was shown via semidcfi- 
nite programming duality that for a cq-state pxQ, definition of Hoo(-'^IQ) coincides with definition ((TT|) 
in terms of the guessing-probability Pguess{X\Q). The advantage of (fH|) is that it allows us to maximize 
over neighborhoods of pxQ- This leads to the definition of smooth entropy [49] . which is definecfl as 

RUX\Q)p--= sup ffoo(^IQ)p- (15) 

PXQ >0:i||pxQ -PXQ II i<tr(pxQ)-e 
tr(PxQ)<tr(pxQ) 

We will also use the fact that if pxQ is a cq-state, the supremum can be restricted to density operators 
pxQ where X is classical and has the same range as the original X. Definition (IT5l) will be convenient for 
our proof: Roughly, we will construct some state that has high min-entropy. We then show that the state 
created during a real execution of the protocol is e-close to this state. By the above definition, the actual 
state generated in the protocol has high smooth min-entropy. 

A useful property of the smooth min-entropy is that it obeys a chain rule [IHl Theorem 3.2.12], which 
states that for any ccg-state pxYQ, we have 

llUX\YQ)p>RUX\Q)p'\og\y\ , (16) 

where |3^| is the size of the support of Y. 

2.2.3 Uncertainty relations for post-measurement information 

When showing the security of weak string erasure, we need to consider a setting where an adversary can 
first extract some classical information K given access to a quantum system Q and later obtains some 
additional information Q. His objective is to guess the value of a random variable X . Suppose he applies a 
measurement described by a POVM {Ek}k to Q, and retains only the measurement result k. We can think 
of this as a completely positive trace-preserving map (CPTPM) K, : B{Hq) — ?> B{Hk)- When he performs 
this measurement on the Q-part of a cq-state pxQ, we get 

PXK(Q) '■ = {Ix ® }C){pxq) --J2^^Q ((^-^ ® Ek)pXQ) ®\k){k\ , 

k 

''Unlike in [49], we require that half the 1-norm is bounded. This ensures that Yl%^{X\Q) p > Hoo{X\Q)cr if pxQ ~e fJCQ- 
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which is a cc-state (i.e., an encoded joint distribution Pxk) if X is classical. Due to its definition, the 
min-entropy Yiao{X\Q) is intimately connected with such measurements, and in fact it is easy to see that 

Hoo(^IQ) = minHoo(X|/C(Q)) . (17) 

This important identity relates min-entropies given quantum information Q to min-entropies given classical 
information K = 1C{Q). 

Returning to the example given in (jl2p , let us consider what happens if the adversary learns the basis in- 
formation Q after the measurement /C. In 1, Theorem 4.7] it was shown that the minimal post-measurement 
min-entropy optimized over all measurements /C obeys 

minHoo(X|/C(g)e) =-logfi ^ 



which in the case of our example matches the min-entropy Hoo(^|Q) without post- measurement informa- 
tion Q. In our security proof, we will need to consider n repetitions of the state (I12p . that is, 

px^e^Q - Pxeq > 

where X" = (Xi, . . . , X„) and 6" = (61, ... , e„) are n-bit strings, and Hq = (C^)®". It follows from [5T1 
Lemma 2] and 1 that 

mmH^(X"|/C(g)e") = -n.logQ + ^^ . (18) 
A generalization of this relation to smooth min-entropy is 

minH^(X"|/C(g)e") > n ( i -2J) where (5 e]0, i[ and (19) 

This relation follows from p31 Corollary 3.4] using the standard purification trick (cf. [64j Lemma 2.3]). Our 
construction of a protocol for weak string erasure will make essential use of and ([TI 



2.2.4 Secure keys and what it means to be ignorant 

We will often informally say that an adversary "does not know anything" or "does not learn anything" or 
"is ignorant" about some random variable X, even when he holds some (quantum) information Q. In terms 
of the cq-state pxQ this means that X is uniformly distributed on A", and independent of g, that is, 

PXQ ^Tx® PQ . (21) 

Clearly, for such a state, the uncertainty about X given Q is maximal, which in terms of the min-entropy 
means that Hoo(^|g) = log \X\. For pxq as in (I^TI) . X is also referred to as an ideal key with respect to Q. 

In practice, we are generally forced to work with approximately ideal keys, where X is called a e-secure 
key with respect to Q if pxQ is e-close to the ideal state tx 'Si pq, that is, 

PXQ ~e Tx® PQ ■ (22) 
This notion of a secure key behaves nicely under composition [31 [501 133] ■ 
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2.3 Processes that increase uncertainty 

To show the security of weak string erasure, we need to capture the amount of "uncertainty" that an adversary 
has as a result of his noisy storage J- . First, let us consider general processes which increase uncertainty. Note 
that from the definitions, it is immediate [49J Theorem 3.1.12] that the min-entropy satisfies the following 
monotonicity property: for every CPTPM T : B{Hq) B{Hq'), we have 

Hoo(X|-F(Q)) >Hoo(X|Q) . (23) 

An important case is where Hq — Ti-QiQ^ is bipartite, and J- = trg^ is the partial trace over the second 
system Q2- We then get 

Hoo(^IQi) >Hoo(X|QiQ2) , (24) 

reflecting the fact that "forgetting" information makes it harder to guess X. 

Inequality (j23p is insufficient for our purposes, and we will need a more quantitative estimate on the 
increase of entropy due to a channel T representing the adversary's memory. Clearly, such an estimate will 
depend on properties of J-. Here we express the bound in terms of the function f'^cc(^) introduced in 
Intuitively, the following lemma shows that the uncertainty about X after application of to Q is related 
to the problem of transmitting classical bits through the channel J- , where the number of bits is given by 
the min-entropy of X . 

Lemma 2.1. Consider an arbitrary cq-state pxq and a CPTPM T : B{Hq) — > B{Hout)- Then IIoo(^|-^(Q)) > 
-logP,-^,,(LH^(X)J). 

Proof. Let k :— [Hco{X)\. It is well-known (see e.g., [56]) that probability distributions Px with min- 
entropy at least k are convex combinations of "flat" distributions, i.e., uniform distributions over subsets 
of X of size 2*^. In other words, there is a joint distribution Pxt, where T is distributed over subsets of 
size 2*^, such that 

Px{x) — '^^PT{t)Px\T=t{x) , and Px\T=t is uniform ont d X . 
t 

The distribution Pxt together with pxQ gives rise to a state pxqt whose partial trace is equal to pxQ- 
Again using (p4)) . we get 



Hoo(^|-^(Q)) > Hoo(x|J"(g)r) . 

By property (jl3|) of the min-entropy when conditioning on classical information, we have 

Hoo(x|^(g)r) = -log E \2-^^<^^\nQ),T=t)'] ^ ^25) 

t<-PT L J 

where Et^p^ denotes the expectation value, and Hoc {X\J^{Q),T — t) is the min-entropy of the conditional 

state 



PxF{Q)\T=t ^^Px\T=t{x)\x){x\ ^J'iPx) 



Now we use the fact that Px\T=t is uniform over a set of size 2^^, and the deflnition of P^cd''^)- This leads 
to 

'EooiXlJ'iQ), T^t)>- \ogPf^^^{k) for afl t in the support of Pt . (26) 
Combining (^5)) with ([^ gives the claim. □ 
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We now give a straightforward but important generalization of this result. 

Lemma 2.2. Consider an arbitrary ccq-state pxtq, o,nd let e,e' > be arbitrary. Let T : B{'Hq) — )• 
BiUg^^J be an arbitrary CPTPM. Then 

Rf^^' {X\TT{Q)) > -logF,^,, ([aioiXlT) - logij) . 

Proof. Clearly, the statement for e = implies the statement for any e > because a CPTPM cannot increase 
distance. To prove the statement for e = 0, we consider the quantities 2~^°°('^l'^=*) of the conditional states 
Px\T=ti together with the distribution Pt over T defined by the state pxTQ- Applying Markov's inequality 
Pr[Z > c] < for any real- valued random variable Z and constant c > 0, we obtain 



Pr 



E 



2-H^(X\T=t) 



(27) 



This implies that the distribution Pt has weight at least 1 — e' on the set 

Qood = |t e r I Hoo(X|T ^t)> [Ho,(X|T) - log I 

Accordingly, we can rewrite pxtq as a convex combination 

PXTQ = (l-p) ■ PxTQ\T<^good + P ' PxTQ\Tegood where p = PriGood) > 1 - e' . (28) 

Set axTQ ■= PxTQlTeSood- From (|28l) . we conclude that ■^\\pxTQ — ctxtqWi < By the monotonicity of 
the distance under CPTPM, it therefore suffices to show that 

Hoo {X\TJ^{Q)), > ~ log Pf^,, [Hoo {X\T), ~ log ) 

For this purpose, note that (Jxtj^(q) is given by the expression 



(29) 



'^Txr(Q)= X! PT\Tegood{t)\i){A® Pxr(Q)\T=t 

t^good 

In particular, by using (jl3p again, we have 

2-H^(X|T.F(Q))„ ^ g r2-H„„(X|J=-(Q),T=t)pj (^3q^ 



Using Lemma l2.ll (applied to the conditional state pxQ\T^t)i we conclude that 

Hoo(^|-^(Q),r-t)^ > -logP,-^,, (^LHco(XlT)p-logij^ foralHe^ood. (31) 
The claim ^ immediately follows from ^ and □ 



2.4 Defeating a quantum adversary: essential building blocks 

In order to build oblivious transfer and bit commitment from weak string erasure, we will employ three 
additional tools: first, we require privacy amplification against a quantum adversary [49' as explained 
in Section 12.4.11 For oblivious transfer, we also need the notion of min-entropy sampling outlined in Sec- 
tion [2A2] In particular, we discuss how min-entropy about classical information is approximately preserved 
when considering randomly chosen subsystems. We then show in Section 12.4.41 how random subsets can be 
chosen in a cryptographically secure manner with a protocol called interactive hashing. 
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2.4.1 Privacy amplification 

Intuitively, privacy amplification allows us to turn a long string X, about which the adversary holds some 
quantum information Q, into a shorter string Z — Ext(X, R) about which he is almost entirely ignorant. 
The maximal length of this new string is directly related to the min-entropy Hoo(^|Q) from Section 12.21 
In order to obtain this new string, we will need a 2-universal hash function: Formally, a function Ext : 
{0, 1}" (E)Tl {0, lY is called 2-universal if for all x x' E {0, 1}" and uniformly chosen r TZ, we have 
Pr[Ext(a;,r) = Ext(a;',r)] < 2"^. 

Theorem 2.3 (Privacy amplification [l^l [5D]). Consider a set of 2-universal hash functions Ext : {0, 1}" 

TZ — > {0, l}*", and a cq-state px^Q, where X" is an n-bit string. Define px^QR = Px^Q ® th, i.e., R is a 
random variable uniformly distributed on TZ, and independent of X'^Q. Then 

PExt(jf",fl)flQ ~e' T^Q.iv ® PRQ for e' := 2-^(HL(x"|Q)-f)-i _^ 2e for all e > . 

It is important to stress that the extracted key Ext(X", R) is secure even if the adversary is given R in 
addition to Q. Theorem 12.31 immediatelv gives rise to a procedure allowing parties sharing some random 
variable X" to extract a key secure against an adversary holding Q. Indeed, one party can simply use 
independent randomness to pick r TZ uniformly at random, and distribute (publicly) the value of r. 
Because 2-universal hash functions can be efficiently constructed (e.g., using linear functions [TO]), this 
privacy amplification protocol is efficient [9l 1271 [7] . 



2.4.2 Min-entropy sampling with adversarily chosen partitions 

For oblivious transfer, we will make use of the sampling property of min-entropy which was first established 
by Vadhan [59] in the classical case, and in [32] for the classical-quantum case. Consider a cq-state pa'"Q, 
where X" = {Xi, . . . Xn) is an n-bit string. An important property of smooth min-entropy is that the 
min-entropy rate 

(32) 

n 

is approximately preserved when considering a randomly chosen substring Xs of X". In some sense, we can 
therefore think of (j32p as the (average) min-entropy of an individual bit Xi given Q. 

The corresponding technical statement is slightly more involved. In essence, it requires to pick a subset S 
from a distribution Ps over subsets of [n] with certain properties {Ps needs to be a so-called averaging 
sampler, see e.g., [22]). For concreteness, we consider the special case where Ps is uniformly distributed over 
subsets of size s = \S\. Vadhan's result for the classical case [53] then shows that, for sufficiently large s, we 
have 

W^{Xs\C) ^ Ho.(X"|C) ^ ^ 
s ~ n ' 

with high probability over the choice of S, for some small £ > and 5 > 0. An analogous statement for the 
cq-case is given in [31]. A major difference is that the result of [32 for the quantum setting requires Xi to 
be a block, i.e., a /3-bit string instead of a single bit. 

Since our work is mainly a proof of principle, we do not yet care about optimality or efficiency. We 
therefore choose S to be uniform over all subsets of a fixed size s. Furthermore, it is sufficient for our 
purposes to ensure that the min-entropy rate decreases by at most a factor of 2. This leads to the following 
statement, which we derive by specializing the results of [32] (see appendix lA.il for details). 

Lemma 2.4 (Min-entropy sampling [32 ). Let p^q be a cq-state, where Z — (^i,a)(i.Q)e[m]x[/3] G Mmx/3({0, 1}) 
is an m X ^-matrix with entries in {0, 1}. Let Zi := {Zi_i, . . . Zi,p) G {0, 1}*^ be the i-th row of Z, such that 
^™ = (Zi,...,Z„0 = Z. Let 

mf5 ~ 
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be a lower bound on the smooth min-entropy rate ofZ given Q. Let u > 2 be a constant, and assume s, /3 G N 
are such that 

256^2 • 



s > m/4 and /3 > max <| 67, — — — \ , (33) 



and let Ps be the uniform distributions over subsets of [to] of size s. Then 



Pr 

s 



> A 



, , . > 1 - 52 where S ^ 2-™^ /(5i2" ) 

s/3 

In Lemma 12. 4[ we have implicitly partitioned l3m bits into m blocks Zi, . . . , Zm of /3 bits each, by 
arranging the bits in the matrix Z. However, in our protocol we need to extend this result to the case where 
this partition is chosen arbitrarily, even in an adversarial manner. To formally state the corresponding 
generalization of Lemma I2.4[ first observe that any partition of l3m bits into m blocks is described by a 
permutation tt : [to] x [/3] — ^ [to] x [/3] where tt S Sm-p- Given a matrix Z and a permutation tt, let 
7r(Z)i = . . . , .^7r(i,/3)) denote the i-th row of the matrix 7r(Z) defined by permuting the entries of Z 

using TT, and let 7r(Z)™ = (7r(Z)i, . . . ,7r(Z)m) be the m-tuple of these /3-bit rows. We are interested in the 
min-entropy of the s/3-bit substring = (7r(Z)ij , . . . , 7r(Z)i J, where S = {ii, . . . ,is} C [to]. Note that 

the identity permutation 7r(i, a) = (z, a) corresponds to the case of Lemma l2.4l 

It will be important that the permutation 11 = tt is a random variable which may depend on the adver- 
sary's quantum information Q. More precisely, we will assume that 11 is the result of a CPTPM applied 
to Q. Such a CPTPM takes the form £ : B{T-Lq) — > B{Hq' (8) Hn), and has the property that 11 is classical 
and a permutation in Sm-/3 for any input state. We now generalize Lemma l2.4l to deal with arbitrarily chosen 
partitions. The generalized version essentially follows from the easily verified fact that the min-entropy is 
invariant under reordering, i.e., 

H^(Z|Q) = H^(7r(Z)|Q) for all permutations tt & S^.p ■ (34) 

Again, we refer to appendix lA.il for the proof of the following statement. 

Lemma 2.5. Let pzQ be a cq-state, where Z = {Zi,a)(i^oi)e[m.]y.[i3] ^ Mmx^({0,l}) is a m x (3-matrix with 
entries in {0, 1}. Assume that 

HUZIQ) ^ , 

TOP 

and that X and s, /3 G N satisfy condition (j33p of Lemma \2.4\ Let £ : B{'Hq) — > B{'Hq' ® Hn) be a 
permutation- computing CPTPM, as explained above, and let 

PzQ'n = (Iz £)PZQ ■ 

Finally, let Ps be the uniform distribution over subsets of [m] of size s. Then for any constant uj > 2 

-HS+4^(n(z)5|Q'n) ^fio-v 



Pr 
s 



> 1 - 52 ^^^^^ g ^ 2-"^ 



2.4.3 Aborting a protocol 



As our protocols allow players to be malicious, they may abort simply by not sending a message. One way to 
handle this is to add a special symbol "aborted" to the definition of each primitive, and to handle this case 
separately in the protocol and the proof. For simplicity, we will take a different approach here. Whenever a 
player does not send any messag^ (or a message that does not have the right format) the other player simply 
assumes that a particular valid message was sent, for example the string containing only zeros. Obviously, 
the malicious player could have sent this message himself, so refusing to send a message does not give any 
advantage to him. From now on we will therefore assume that all players always send a message when they 
are supposed to. 



'Note that to decide whether Ahce has sent a message requires to have an upper bound on the delivery time of a message. 
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2.4.4 Interactive hashing 

A final tool we need is interactive hashing [IHl UHl first introduced in [?7] . This is a two-party primitive 
where Bob inputs some string W*, and Alice has no input. The primitive then generates two strings Wq, 
Wl, with the property that one of the two equals W*. For a protocol implementing this primitive, security 
is intuitively specified by the following conditions: Alice does not learn which of the two strings is indeed 
equal to W*. Conversely, Bob should have very little control over the other string created by the protocol. 
Figure |3] depicts the idealized version of this primitive. 



Ahce 



IH 



Bob 



Figure 3: The concept of interactive hashing (IH): Honest Bob has input W^*. Interactive hashing creates 
substrings Wq and such that there exists D E {0, 1} with Wfy = W^, where D is unknown to Alice, and 
Bob has little control over the choice of Wl_]j. 

More formally, the following is achieved in I19[ Theorem 5.6], where we refer to [52] for the exact param- 
eters used in the security condition for Alice. 

Lemma 2.6 (Interactive Hashing |19[ I52| ). There exists a protocol called interactive hashing (IH) between 
two players, Alice and Bob, where Alice has no input. Bob has input W*' £ {0, 1}* and both players output 
{Wq, Wl) e {0, 1}* X {0, 1}*, satisfying the following: 

Correctness: // both players are honest, then ^ Wl and there exists a D E {0, 1} such that = W* . 
Furthermore, the distribution ofWl_^ is uniform on {0, 

Security for Bob: // Bob is honest, then ^ Wl and there exists a D E {Q, 1} such that W^j = . If 
Bob chooses W* uniformly at random, then D is uniform and independent of Alice 's view. 

Security for AUce: // Alice is honest, then for every subset S C {0, 1}*, 

I CI 

Pt[W^ E S and Wl E S] < 16 --^ 

Note that even though this is not explicitly mentioned in [52], aborts need to be treated as explained in 
Section r2. 4. 31 to achieve Lemma [2761 

3 Weak string erasure in the noisy-storage model 

We are now ready to introduce our main primitive. After giving a precise security definition in Section [3.1[ 
we present a protocol for realizing this primitive in the noisy-storage model. We will subsequently show that 
the protocol satisfies the given security definition. 

3.1 Definition 

"Strong" versus weak string erasure 

In an ideal world, string erasure would realize the ideal functionality depicted in FigureUl It takes no inputs, 
but provides Alice with a uniformly distributed string n-bit string X" = {Xi, . . . , X„) E {0, 1}", while Bob 
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receives a random subset X — . . . , i\x\ \ C 21"! and the substring Xx- The set of indices X would thereby 
be randomly distributed over all the set 2["1 of all subsets of [n]. Intuitively, we think of the complement of 
X as the locations of the "erased" bits. 



Ahce Bob 



X" - (Xi,...,X„) 





WSE 









Figure 4: The ideal functionality of string erasure. The actual weak string erasure is somewhat weaker, 
however, a dishonest party cannot gain significantly more information from the protocol than provided by 
the "box" depicted above. 

Ideally, we would like to realize the functionality in Figure |4] in such a way that even a dishonest party 
cannot learn anything at all beyond what is provided by the box. Unfortunately, this definition is too 
stringent to be achieved by our protocol. We therefore relax our functionality to weak string erasure, where 
the players may gain a small amount of additional information. More precisely, we allow a dishonest Bob 
to learn some information about X" possibly different from {X,Xx). However, we demand that his total 
information about X" is limited: given a dishonest Bob's system B', he still has some residual amount of 
uncertainty about X". For a dishonest Alice, we essentially retain the strong security property that she 
does not learn anything about the set of indices X that Bob receives. In order to obtain bit commitment 
and oblivious transfer later on, we also demand one additional property that may seem superfluous from a 
classical perspective, namely that Alice is "committed" to a choice of X" at the end of the protocol. This 
difficulty arises since unlike in a classical setting, a dishonest Alice may for example store some quantum 
information and perform measurements only at a later time. This may allow her to determine parts of A"" 
after the protocol is completed. Security against such attacks is subtle to define in a quantum setting. To 
address this problem, we define security in terms of an "ideal" state (ta'x^xXz that could have been obtained 
by an honest Alice by preparing some state on A' using X" (i.e., by post-processing). Our security definition 
then demands that the actual state pa'B shared by dishonest Alice and honest Bob after the execution of 
the protocol has the same form as the partial trace of the ideal state, that is, pa'b — cta'XXi- 

Formal definition 

In the following definition of weak string erasure, we write pab for the resulting state at the end of the 
protocol if both parties are honest, pa'B is Alice is dishonest and pab' if Bob is dishonest. Our definition is 
phrased in terms of ideal states denoted by cr that exhibit all the desired properties of weak string erasure. 
We then demand that the actual states p created during a real execution of the protocol are at least e-close 
to such ideal states no matter what kind of attack the dishonest party may perform. 

Definition 3.1. An (n. A, e)-weak string erasure (WSE) scheme is a protocol between Alice and Bob satisfying 
the following properties: 

Correctness: // both parties are honest, then the ideal state ax-^iXx '-s defined such that 

1. The joint distribution of the n-hit string X" and subset X is uniform: 

crx'-i = T{o,i}" , (35) 

2. The joint state pab created by the real protocol is equal to the ideal state: 

PAB = 0'X"IXx • (36) 
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where we identify [A^B) with 
Security for Alice: // Alice is honest, then there exists an ideal state ctx" B' such that 

1. The amount of information B' gives Boh about X'^ is limited: 

iHoe(X"|i3'). > A 
n 

2. The joint state pab' created by the real protocol is e-close to the ideal state: 

(JX^B' ~e PAB' 

where we identify {X",B') with {A,B'). 

Security for Bob: If Bob is honest, then there exists an ideal state c^/jjnj; where X" € {0, 1}" andl C [n] 
such that 

1. The random variable I is independent of A'X^^ and uniformly distributed over 2["1; 

2. The joint state pa'B created by the real protocol condition on the event that Alice does not abort 
is equal to the ideal state: 

PA'B = (^A'(IXt) 

where we identify {A'^B) with {A',IXi). 

Note that we do not require X" to be uniform when Bob is dishonest. To show security of bit commitment 
and obhvious transfer we will only require that X"' has high min-entropy. The condition that the real state 
is close to an ideal state having high min-entropy means that the real state has smooth min-entropy as 
outlined in Section [2j 

3.2 Protocol 

We now consider a simple protocol achieving weak string erasure in the noisy-storage model using BB84- 
states. Other encodings are certainly possible, and we will discuss some of the implications of this choice of 
encoding in Section [6] This protocol is essentially identical to the first step of known protocols for quantum 
key distribution [65) l4l. However, as explained in the last section, our security requirements differ greatly as 
we are dealing with two mutually distrustful parties. 

Protocol 1: Weak String Erasure (WSE) 

Outputs: x" e {0, 1}" to Alice, (2:,zl^l) e 2N x {0, 1}I^I to Bob. 

1. Alice: Chooses a string Gr {0, 1}" and bases-specifying string 6*" Gn {0, 1}" uniformly at 
random. She encodes each bit Xi in the basis given by 9i (i.e., as H^^ and sends it to Bob. 

2. Bob: Chooses a basis string 6*" Gr {0, 1}" uniformly at random. When receiving the i-th qubit, 
Bob measures it in the basis given by 9i to obtain outcome i^. 

Both parties wait time At. 

3. Alice: Sends the basis information 6*" to Bob, and outputs x". 

4. Bob: Computes I := {i G [n] \ 9i = 9i}, and outputs (I, z'-^') := (T, ij). 



Our main claim is the following: 
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Honest Bob 
(time t + M\ 



Figure 5: The protocol as a circuit. Alice chooses a random string = (xi, . . . , a;„) € {0, 1}". She then 
encodes the bits in random bases specified by 9" — {9i, . . . ,6„) G {0,1}" and sends the corresponding 
quantum states to Bob. Bob measures in random bases specified by 0" — {9i, . . . ,9n) € {0, 1}" obtaining 
measurement outcomes i" = (ii,...,i„). Upon reception of the basis string 9"', Bob determines the 
locations where he measured in the same basis by computing the bit- wise xor = (6'i . . . , 0„® 0„). 

He subsequently discards the bits he measured in the wrong bases (indicated by _L: this replaces the classical 
input symbol by an erasure symbol). 



Theorem 3.2 (Weak string erasure). (i) Let S £]0,^[ and let Bob's storage be given by T : B^H^^ ^■ 
B('Hout)- Then Protocol 1 is an {n, X(5,n),e{S,n))-weak string erasure protocol with min-entropy rate 

A('5,n) = -llogP,-^,,(^Q-<5) -n^ , 

and error 

e(S, n) — 2 exp =— ■ ■ n] . (37) 

^ ' V 5i2(4+iogi)2 ; ^ ' 

(a) Suppose T — J\f®'^'^ for a storage rate 1/ > 0, J\f satisfying the strong-converse property (j4]) and having 
capacity CV bounded by 

Cj^-iy< - . 

Let 6 g]0, ^ — CV-t^[. Then Protocol 1 is an {n, X{S), e{S, n))-weak string erasure protocol for sufficiently 
large n, where 

W)..^,-(iZ^^ . 

It is easy to see that that the protocol is correct if both parties are honest: if Alice is honest, her string 
AT" — is chosen uniformly at random from {0, 1}" as desired, and if Bob is honest, he will clearly obtain 
Xi = Xi whenever i G I for a random subset I C [n] . The remainder of Section [3] is thus devoted to proving 
security if one of the parties is dishonest: In Section [3731 we use the properties of the channel to show 
that the protocol is secure against a dishonest Bob. In Section 13.41 we argue that the protocol satisfies 
Definition 13.11 when Alice is dishonest. 

3.3 Security for honest Alice 

We now show that for any cheating strategy of a dishonest Bob, his min-entropy about the string A" = 
(Ai, . . . , A„) is large. Before turning to the proof, we first explain in Figure |6] how our model restricts the 
actions of Bob in our protocol. At time t, Bob receives an encoding of a classical string a;" = (xi, . . . ,Xn) 
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classical K 



Encoding attack £ 



Basis information 



guess X 



Time t Time t + At 

Figure 6: The most general structure of a cheating Bob. Bob's action at time t consists of a CPTPM £i, 
followed by a (partial) measurement /C, where he may use an arbitrary ancilla paux- At time t + At, Bob can 
try to reconstruct x" = (xi, . . . , Xn) given the content J-{Qm) of the storage device, the classical measurement 
result K = JC{Q), and the basis information 9"^ ~ {6i, . . . , On)- 



which he would like to reconstruct as accurately as possible. To this end, he can apply any CPTPM 
£ : ^((C^)®") BCHvn ® Hk) with the following property: For any input state p on (C^)®", he obtains 
an output state Qq^^k — £{p), where Qin is the quantum information he will put into his quantum storage, 
and K is any additional classical information he retains. Note that we allow an arbitrary amount of classical 
storage, that is, "Hk may be arbitrarily large[f|. We call the map £ Bob's encoding attack. 

We can think of the encoding attack £ as being composed of two steps, £ = (lQj„ ®M.)o£i where Bob first 
applies an arbitrary CPTPM £i : S((C'^)®") — > 13{Hq-^ (E) Hq), and subsequently performs a measurement 

JC : B{Hq) — > B{Hk) on Hq. The outcome of this measurement forms his classical information K = IC{Q). 
For example. Bob can measure some of the incoming qubits, or encode some information using an error- 
correcting code. The joint state before his storage noise is applied is hence given by 

PX"e"KQ.„ = 7^ ^ PK|x-^.^e"=9"(fc) |a:")(x"| |r)(r | |fc)(fc| Cx^g.^ , (38) 

where Cx^e^k is the conditional state on Hin conditioned on the string X" = a;", the basis choice 0" = 0" 
and Bob's classical measurement outcome K = k. The state (|38l) is completely determined by Bob's encoding 
attack £ at time t. 

Bob's storage Qin then undergoes noise described by : B{'Hin) BCHout), and the state evolves to 
px^Q^KTiQir,)- At time t + At, Bob additionally receives the basis information 8" = 0". The joint state is 
now given by 

Px^e^KHQ,.)^j^ E PK\x^=x^,B^=0Ak) ® \k){k\® F{C,r.e^k\ , (39) 

where Bob holds B' = <d'^KF{Qin)- We now show that Bob's information B' about X" is limited for large n. 



Theorem 3.3 (Security for Alice). Fix 5 and let 

Then for any attack of a dishonest Boh with storage T : B{'Hin) — > B{'Hout), there exists a cq-state ax'^B' 
such that 

^It is sufficient for any adversary to store 2" bits, one for each possible basis string 0" [l]. 



21 



1. (Tx^B' ~e PX^B' , 

2. iHoo(X"|i?'). > log P,-^ec ((5 - ^) 

where px"B' is given by (I39p . In particular, if, for some R < ^, we have lim„^oo "■^ log-P^cc("'^) > 0; 
then px"B' is exponentially close (in n) to a state ax^B' with constant min-entropy rate iHoo(-'f"|B')o"- 

Proof. We use the notation introduced in p9|. By definition (ITSl) of tfie smooth min-entropy, statements (1) 
and (2) follow if we show that the smooth min-entropy rate iH^(X"|i3')p is lower bounded by the expression 
on the rhs. in (2). By the uncertainty relation (IT^ . we have 

Using Lemma [221 applied to T = (6", i^T), we conclude that for Qout — J'iQin) after the noise there exists 
the claimed ideal state and 

where the final inequality follows from the monotonicity property of the success probability P^cd^) — 
Pfuccim') for m > m' and the fact that log f < fn because ((5/4)V(32(2 - log (5/4)2) < for any 
< (5 < 1/2. ^ □ 

Let us specialize Theorem 13.31 to the case where is a tensor product channel. 

Corollary 3.4. Let Bob's storage be described by J- = J\f'^'^" with v > 0, where A/" satisfies the strong- 
converse property (|4]), and 

Ca/- • < - . 

Fix 5 e]0, l-C^r ■ v\, and let e = ri) be defined by (j37]). Then for any attack of a dishonest Bob, there 
exists a cq-state ax^ b' such that 

1. (Tx"B' ~£ PX"B' , 

2. ^R^{X^\B% > • 7-^ (i/^) > 0, 
where px"B' is given by p9p . 

Proof. Substituting n by vn and R by R/i', the strong-converse property Q turns into 

--iogp,irM)>^-7^(i?/^) 

n 

for sufficiently large n. The claim then follows from Theorem 13.31 by setting R := ^ — S. □ 

Theorem [33] and Corollarv 13 .41 establish the first part of Theorem 13.21 It remains to analyze the security 
against a dishonest Alice. 
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Figure 7: This circuit shows the interaction between a dishonest party Ahce and an honest Bob: Ahce 
sends some n-qubit register Qa and n classical bits 0" to Bob, and also retains some possibly quantum 
register T. Honest Bob computes I and X" as before. This generates an overall state Pe^TiX"' where 
Alice's information A' after execution consists of the classical string 8" and T. 
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Figure 8: In the security proof, we put an intermediate "simulator" between Alice and Bob to generate the 
state c^/jf nj- We will show the security definition 13.11 is satisfied with cr^,-^„j-. The simulator measures 
the quantum register in the basis specified by the bit string. He then encodes the measurement result 
X" = (A"i, . . . , Xn) into randomly chosen bases. 



3.4 Security for honest Bob 

When Alice is dishonest, it is intuitively obvious that she is unable to gain any information about the index 
set I, since she never receives any information from Bob during our protocol. Yet, in order to obtain bit 
commitment and oblivious transfer from weak string erasure we require a more careful security analysis. 
Figure [7] depicts the form of any interaction between a cheating Alice and an honest Bob. Since Alice 
takes no input in the protocol, her actions are completely specified by the state pq^o^t she outputs, where 
"Hg^ = (C^)®" is an n-qubit register that she sends to Bob (in the case where Alice is honest, this encodes 
the string X"), G" is some classical n-bit string (in the case where Alice is honest, this encodes the bases), 
and Ht is an auxiliary register of Alice corresponding to the (quantum) information she holds after execution 
of the protocol. In the actual protocol, an honest Bob proceeds as shown in Figure [SI that is, 

1. Upon receipt of Qa at time t, an honest Bob measures in randomly chosen bases specified by the string 
9" = (6i, . . . , 9„) S {0, 1}", obtaining measurement outcomes A"" — {Xi, . . . , A„). 

2. After receiving 8" = (8i, . . . , 8„) at time t + At, he computes the intersecting set I defined by 8" 
and 8", and the corresponding substring Xx- 

The protocol thus creates some state p^/j^^, where A' — (8"T) is Alice's information, and B — {IXi) 
is the information obtained by Bob. Note that this state can be obtained from p^,j(-„q„q„ because I is a 
function of 8" and 8", and Xx is a function of A" and X. 

Theorem 3.5 (Security for Bob). Protocol 1 satisfies security for honest Boh. 
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Proof. We now construct a state cr^/x"! '^ith the required properties. For simplicity, we give an algorithmic 
description of this state. It is obtained by letting Alice and Bob interact with a simulator which has perfect 
quantum memory. Note that this simulator is purely imaginary and is merely used to specify the desired 
ideal state cr^,^„2;- However, we will later show that the real state created during the protocol equals this 
ideal state on the registers held by Alice and Bob. Figure |S] summarizes the actions of the simulator: 

1. First, the simulator measures the n-qubits Qa in the bases specified by the bits 0" = (0i, . . . , 6„), 
obtaining measurement outcomes A"" = (Xi, . . . , A"„). 

2. Second, the simulator re-encodes the measurement outcomes X" using randomly chosen bases specified 
by 6" — (6i,...,9„) £r {0,1}". He then sends the corresponding qubits to Bob (i.e., the states 
H^^ \xi)). We call this quantum register Qa- 

3. Finally, the simulator provides Bob with the basis string 8" = (8i, . . . , 0„). 

An honest Bob proceeds as before, but with 8" replaced by the simulator's string 8", and Qa replaced by 
the simulator's quantum message Qa- As before, Alice's information A' = (T8") consists of the string 8" 
and her (quantum) system T. The state cr^,j--^^ held by Alice and Bob can be obtained from cr^,jf„0„Q„, 
noting that Xx = Xx- 

Let us argue that f^/(xxx) properties required by Definition 13.11 First, observe that 

since both 8" and 8" are chosen uniformly and independently at random by the simulator and Bob, 
respectively. Since the set I consists of those indices where 8" and 8" agree, we conclude that I is uniform 
on the set of subsets of [n], and independent of ^'8". That is, the previous identity implies 

'^A'X-I cr^'X" ^ , (40) 

as desired. 

It remains to prove that the state created during the real protocol equals this ideal state, that is, 

PA'B = cr(e'.T)(IJfx) ■ (41) 

To produce the state o'i^Qnx)(xXx)^ honest Bob (interacting with the simulator) measures all qubits in the 

bases 8". Since we are only interested in Xx, we could instead apply the first measurement and re-encoding 
(by the simulator) and the second measurement (by Bob) only on the qubits in I without affecting the 
output. But since for all z S I, we have 8^ 8^, the re-encoding and the second measurement are always 
in the same basis, and can therefore be removed. Therefore, the state cr^nrp^--^^ can also be produced in 
the following way: Let Alice output registers ((3^,8",r). We first choose I C [n] uniformly at random. 
Then, we measure all qubits in I in bases 8i to get Xx, and output registers (8", T,I, Xx)- Since all qubits 
in the complement I'^ are discarded anyway, we can measure them in Qx" without affecting the reduced 
state <^Qnxxxx' ^^^^ exactly what happens in the real protocol producing the state pa'B, which implies 
Eq. glj. 

□ 



3.5 Application to concrete tensor product channels 

We examine the security parameters we can obtain for several well-known channels. A simple example is 
the d-dimensional depolarizing channel defined in ([5]), which replaces the input state p with the completely 
mixed state with probability 1 — r. Another simple example is the one-qubit two-Pauli channel [30) 

AApauii(/9) rp + ^—^XpX + ^—^-ZpZ . 
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Both these channels obey the strong-converse property Q (see [35]), allowing us to obtain security of weak 
string erasure by Corollarv l3.4l 

For simplicity, we first consider the case where the storage rate is ly ~ 1, that is, Bob's storage system 
is (C*)®", i.e., n copies of a d-dimensional system, and his noise channel is = A/"®". We first determine 
the values of r that allow for a secure implementation of weak string erasure. By Corollarv l3.4[ the capacity 
of the channel Af must be bounded by CV < ^ • The table given in Figure [HI summarizes the relevant 
parameters. 



Channel 


Capacity CV 


Reference 


Threshold 


Qubit depolarizing 


1 + i±2: log + log 




r < 0.77 


Qutrit depolarizing 


logs + (r + ^) log {r+^)+ 2^ log ^ 


El 


r < 0.61 


Two-Pauli 


1 ;j(^l+n-Cr,2r-l)j 




r < 0.77 



Figure 9: A sufficient condition for achieving security (for storage rate = 1) is that the noise parameter r 
lies below the threshold given above. This is equivalent to CV < ^■ 

When allowing storage rates other than v — I, we may again consider the regime where our proof 
provides security. Figure [10] examines this setting for the qutrit depolarizing channel and the two-Pauli 
channel, respectively. 



r 

1.0 r 




secure realization 



Figure 10: Tradeoff between f and r: security can be obtained for the qutrit depolarizing channel below 
solid blue line and the two-Pauli channel below the dashed red line. Note, however, that for the same storage 
rate the dimension of the storage system is larger for the qutrit than for the qubit channel. 



To determine the exact security of the protocol, we need to compute the min-entropy rate 

as stated in Corollarv 13.41 For the class of channels J\f : B{C'^) — > B{C'^) considered in [36], the strong 
converse property ([Ij) was shown to be satisifed with the function given by 



7'^(i?) = max 



a-1 



a>l a 



{R-logd + Sr\N-)) , 



25 




Figure 11: The value of the min-entropy rate A for the qubit depolarizing channel (dashed red line) and the 
qutrit depolarizing channel (solid blue line) as a function of the noise parameter r, for ly = 1 and 6 = 0.01. 
Using qutrits means that the dimension of the overall storage system is higher, and we expect the resulting 
higher capacity to lead to a smaller min-entropy rate A. Our analysis confirms this intuition. 

where S'™'"(A/') is the minimum output a-Renyi-entropy of the channel. For the d-dimensional depolarizing 
channel (see ([5|)) we may rewrite this expression [31' as 

- ^ («- ih'-^y^^'-'i^y)) ■ 

Figure [TT] shows how the min-entropy rate A((5) relates to the noise parameter r for the qubit and qutrit 
depolarizing channels for a storage rate oi v = 1 and error 5 — 0.01. The figure shows that the min-entropy 
rate we can achieve in our protocol is directly related to the amount of noise in the storage. 

4 Bit commitment from weak string erasure 
4.1 Definition 

Informally, a standard commitment scheme consists of a Commit and an Open primitive between two parties 
Alice and Bob. First, Alice and Bob execute the Commit primitive, where Alice has input g {0, 1}^, and 
Bob has no input. As output. Bob receives a notification that Alice has chosen an input Y^. Afterwards, 
they may execute the Open protocol, during which Bob either accepts or rejects. If both parties are honest. 
Bob always accepts and receives the value Y^. If Alice is dishonest, however, we still demand that Bob either 
outputs the correct value of Y^ or rejects (binding). If Bob is dishonest, he should not be able to gain any 
information about Y^ before the Open protocol is executed (hiding). 

Here, we make use of a randomized version of a commitment as depicted in Figure 1121 This simplifies 
both our definition, as well as the protocol. Instead of inputting her own string Y^, Alice now receives a 
random string from the Commit protocol. Note that if Alice wants to commit to a value Y^ of her choice, 
she may simply send the xor of her value with the random commitment Y^ ® to Bob at the end of the 
Commit protocol. 

To give a more formal definition, note that we may write the Commit and the Open protocol as CPTPMs 
Cab and Oab respectively, consisting of the local actions of honest Alice and Bob, together with any 
operations they may perform on messages that are exchanged. When both parties are honest, the output of 
the Commit protocol will be a state CAsipin) ~ Pc'^uv for some fixed input state pin, where S {0,1}^ 
is the classical output of Alice, and U and V are the internal states of Alice and Bob respectively. Clearly, 
if Alice is dishonest, she may not follow the protocol, and we use Ca'b to denote the resulting map. Note 
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Figure 12: Randomized string commitment: Alice receives a random £r {0, 1}^ from Commit. During 
the Open phase, Bob outputs and F. If both parties are honest, then = and F = accept. If Alice is 
dishonest, Bob outputs F G {accept, reject}, but = if _F = accept. To obtain a standard commitment, 
Alice can send the extra message indicated by the dashed line. 

that Ca'b may not have output C^, and we hence simply write pA'v for the resulting output state, where A' 
denotes the register of a dishonest Alice. Similarly, we use Cab' to denote the CPTPM corresponding to the 
case where Bob is dishonest, and write Pc'^uw for the resulting output state, where B' denotes the register 
of a dishonest Bob. 

The Open protocol can be described similarly. If both parties are honest, the map Oab ■ B{Huv) ~^ 
B{T-L^tp) creates the state Vc'^c'^f ■~ i^C ® Oab){pc'^uv)j where € {0, 1}^ and F g {accept, reject} is 
the classical output of Bob. Again, if Alice is dishonest, we write Oa'b to denote the resulting CPTPM with 
output rjj^ii^tp, and if Bob is dishonest, we write Oab' for the resulting CPTPM with output r]Qig„. The 
following definition is similar to the one given in |15| . but slightly more general. 

Definition 4.1. An (£, e)-randomized string commitment scheme is a protocol between Alice and Bob sat- 
isfying the following properties: 

Correctness: // both parties are honest, then the ideal state acuc'F defined such that 

1. The distribution of is uniform, and Bob accepts the commitment: 

'^c'F = '''{0,1}* '■^ \accept) {accept\ . 

2. The joint state rj^ecjtp created by the real protocol is e-close to the ideal state: 

Vc'C'F ~e '^CC'F 1 

where we identify {A,B) with {C'^,C^F). 

Security for Alice (e-hiding): // Alice is honest, then for any joint state Pc^b' created by the Commit 
protocol. Bob does not learn : 

Pc'b' ~e '''{0,1}' ® Pb' ■ 

Security for Bob (e-binding): If Bob is honest, then there exists an ideal cqq-state (Jc^a'v such that for 
all Oa' b ■ 

1. Bob almost never accepts 7^ : 

For i^c'A"C'F ~ C^C 'X) Oa'b){'^c'A'v) j "we have Pr[C^ ^ and F = accept] < e . 
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2. The joint state pA'V created by the real protocol is e-close to the ideal state: 

PA'V ~s f^A'V ■ 

4.2 Protocol 

Let e' > 0. To construct our protocol based on weak string erasure, we will need a binary {n, k, (i)-linear code 
C C {0, 1}", i.e., a linear code with 2'^ elements and minimal distance d := 21ogl/e'. Let Syn : {0, 1}" — 
{0, 1}"-'= be a function that outputs a parity-check syndrome for the code C. Let Ext : {0, 1}" xTZ ^ {0, 1}^ 
be a 2-universal hash function as defined in Section 12.4.11 



Protocol 2a: Commit 




Inputs: none. Outputs: G {0, 1}^ to Alice. 




1: Alice and Bob: Execute (n, A,e)-WSE. Alice 


gets a;" g {0, 1}", and Bob gets I C [n] and s ~ xx- 


2: Alice: Chooses r G/j TZ and sends r and w := 


Syn(a;") to Bob. 


3: Alice: Outputs := Ext(a;",r) and stores 


Bob stores {r,w,I,s). 



Protocol 2b: Open 

Inputs: none. Outputs: G {0, 1}^ and / € {accept^ reject} to Bob. 
1: Alice: Sends x" to Bob. 

2: Bob: If s 7^ xj or w 7^ Syn(x"'), then he outputs := 0^ and / reject. Otherwise, he outputs 
:= Ext(x", r) and / := accept. 



Our main claim of this section is the following. 

Theorem 4.2 (String commitment). The pair (2a, 2b) of protocols (Commit, Open) is an (An — [n — k) — 
2logl/s' ,2s + s')-randomized string commitment scheme based on one instance of {n, X, e)-WSE. 

The length £ := Xn ~ (n — k) — 2 log of the commitment depends on our choice of code C. Since we 
require that £ > 0, we need n — k to he small compared to n, which means that we need codes for which 
k/n ^ 1 for n — ^ cx). A simple construction of codes that satisfy this can be based on Reed-Solomon codes 
[48] over the field GF{2™), which are (2™ — 1, 2™ — d, (i)-linear codes. We can convert these codes into binary 
((2™ — l)m, (2™ — d)m, (i)-linear codes by simply mapping each field element to m bits. For n :— (2™ — l)m, 
we have n — k = {d — l)m < d{logn — 1), since rt > 2 • 2™ whenever to > 3. Therefore, with these codes we 
can achieve £ > Xn — 21ognlogl/£, i.e., our commitment rate is roughly A. 

4.3 Security proof 

We again show security for Alice and Bob individually. Recall that if Bob is dishonest, our goal is to show 
that his information about is negligible. The intuition behind this proof is that weak string erasure 
ensures that Bob's information about the string AT" is limited. Via privacy amplification we then obtain 
that his information about C^, which is the output of a 2-universal hash function applied to X^, is neglible. 

Lemma 4.3 (Security for Alice). The pair of protocols (Commit, Open) is (2e + s')-hiding. 

Proof. Let px"B' the cq-state created by the execution of WSE. From the properties of WSE it follows that 
there exists a state ax^B' such that Iioo{X^\B')a > An and px^B' ~e crx^B'- This implies that 

ff^(X"|B')p > An . 
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By the chain rule (see (HH)), we get 



H^(X"|S'Syn(X"))p > \n - {n - k) = I + 2\ogl/ e' . 
Using privacy amplification (Theorem 12. 3p . we then get that 

\\\pc^B'-r{a.iY®PB'\\i < 2e + 2-^-2i°gi/e'-i < 2s + e' , 

as promised. □ 

To show security for honest Bob, we need the following property of linear codes. Note that the function 
Syn is linear, i.e., for all codewords x" and i", we have Syn(a;" © i") — Syn(x") © Syn(a;"). Therefore, for 
any a;" and x" with ^ x" and Syn(x") = Syn(a;"), we have that the string Syn(a:" ® x") S {0, l}"--'^ is the 
all zero string 0"^'"'. From this it follows that ® is a codeword different from 0". Since all codewords 
except 0" have weight at least d, it follows that x" and x" have distance at least d. 

The intuition behind the following proof is the observation that weak string erasures ensures that Bob 
knows the substring Xx of a string X. The properties of the error-correcting code limit the set of strings X" 
consistent with this substring and the given syndrome W; this implies that Alice will be detected with high 
probability if she attempts to cheat. 

Lemma 4.4 (Security for Bob). The pair of protoeols (Commit, Open) is e-hinding. 

Proof. Let pa'b be the state shared by Alice and Bob after the execution of WSE. From the properties of 
WSE it follows that there exists a state (Ta'X"-! ~ a' X"'®'''2^"^ such that pa'b = ^a'(ixx)' where B = iXXi). 
Let X" be the closest string to X" that satisfies Syn(X") = and let := Ext(X",i?). We will now 
show that the state fJc^A'iRWis) created during the Commit protocol satisfies the binding condition. 

First of all, note that if Alice sends X" = X", then Bob outputs = C^. It thus remains to analyze 
the case of A" ^ A". Note that we may write 

Pr[C^ ^ & and F = accept] 

Pr [Ext(A", R) ^ Ext(X", R) and F = accept] 

R,X",X" 
Syn(X")#Syn(X") 

+ Pr [Ext(X", R) ^ Ext(A", R) and F = accept] 

Syn(X")=Syn(X") 

Pr [Ext(A" , R) ^ Ext(A", R) and F = accept] 

R,X",X" _ 
Syn(X")=Syn(X") 

where the last equality follows from the fact that Bob always rejects if Syn(A") 7^ Syn(A"). 

We now show that the remaining term is small. Note that if Syn(A") = Syn(A"), and A" 7^ A", the 
distance between A" and X" is at least d. We also know that for our choice of A", the distance between 
A" and A" is at most d/2. Hence, A" has distance at least d/2 to X". Since Alice does not know I and 
every i G [n] is in I with probability |, Bob accepts with probability at most e = 2""^/^. Hence, we obtain 

Pr[C^ ^ & and F = accept] < e' , 
as promised. □ 

It remains to show that the protocol is correct. This follows essentially from the properties of weak string 
erasure. However, we still need to demonstrate that the state we obtain from weak string erasure has 
close to uniform. 
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Lemma 4.5 (Correctness). The pair of protocols (Commit, Open) satisfies correctness with an error of at 
most 2e + e' . 

Proof. Let rifye^e be the state at the end of the protocol. It follows directly from the properties of WSE that 
rjQtQt = "Hc^C' ■ It remains to show that this state is close to the ideal state ctc'-c" ■ the same arguments as 
in Lemma H31 it follows that |||?7c* —'^c'Wi — 2e + £'. Hence, we also have ^\\rictc" ~o-c'c'\\i — 2e + £'. □ 



5 1-2 oblivious transfer from weak string erasure 
5.1 Definition 

We now show how to obtain 1-2 oblivious transfer given access to weak string erasure. Usually, one considers 
a non-randomized version of 1-2 oblivious transfer, in which Alice has two inputs Yq, Y( G {0, 1}^, and Bob 
has as input a choice bit D G {0,1}. At the end of the protocol Bob receives Y^, and Alice receives no 
output. The protocol is considered secure if the parties do not gain any information beyond this specification, 
that is, Alice does not learn D and there exists some input y(_£) about which Bob remains ignorant. 

Here, we again make use of fully randomized oblivious transfer. Fully randomized oblivious transfer takes 
no inputs, and outputs two strings Sq, Sf £ {0, 1}^ to Alice, and a choice bit C £ {0, 1} and to Bob. 
Security means that if Alice is dishonest, she should not learn anything about C. Similar to weak string 
erasure, we also demand that two strings Sq and Si are created by the protocol. Intuitively, this ensures 
that just like in a classical protocol, we can again think of the protocol as being completed once Alice and 
Bob have exchanged their final message. If Bob is dishonest, we demand that there exists some random 
variable C such that Bob is entirely ignorant about Si_q. That is, he may learn at most one of the two 
strings which are generated. 

Fully randomized oblivious transfer can easily be converted into "standard" oblivious transfer as depicted 
in Figure [T51 using the protocol presented in [8j (see also 2 ). To obtain non-randomized 1-2 oblivious transfer, 
Bob sends Alice a message indicating whether C = D. Note that since Alice does not know C, she also 
does not know anything about D. If C = £>, Alice sends Bob © 5*9, and Yf © 5'f , otherwise she sends 
Yq © S[ and Y( © Sq. Clearly, if Bob does not learn anything about S[_q, he can learn at most one of Yq 
and r/ [ill]. 



Ahce 



e{0,ir 





FROT 









Bob 



Figure 13: Fully randomized 1-2-oblivious transfer when Alice and Bob are honest. Intuitively, if one of the 
parties is dishonest, he/she should not be able to obtain more information from the primitive as depicted 
above. The dashed messages are exchanged to obtain non-randomized oblivious transfer from FROT. 



We now provide a more formal definition, which is very similar to the definitions in flS) 121] . 

Definition 5.1. An (i',£)-fully randomized oblivious transfer (FROT) scheme is a protocol between Alice 
and Bob satisfying the following: 

Correctness: // both parties are honest, then the ideal state (^s^sfcs^ defined such that 
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1. The distribution over Sq, Sf and C is uniform: 

2. The real state Ps^s{cy^ created during the protocol is e-close to the ideal state: 

Ps'oSiCY' ~e ^S^SfCS^ ' (42) 

where we identify A = {Sq, Sf) and B ~ {C,Y^). 

Security for Alice: // Alice is honest, then there exists an ideal state <^s^S{B'C! where C is a random 
variable on {0,1}, such that 

1. Bob is ignorant about Si_(j: 

2. The real state Ps^s'^b' created during the protocol is e-close to the ideal state: 

PS'gSiB' ~e '^S'gSiB' ■ 

Security for Bob: If Bob is honest, then there exists an ideal state crA'sfySfc such that 

1. Alice is ignorant about C: 

2. The real state Pa'cy'- created during the protocol is e-close to the ideal state: 

PA'CY<i ~e C^A'CS'c ' 

where we identify B = {C,Y^). 

Again, we allow the protocol implementing this primitive to abort, but demand that the security condi- 
tions are satisfied if the protocol does not abort. 

5.2 Protocol 

We now show how to obtain a fully randomized oblivious transfer given access to weak string erasure. 

As in Section [3l honest players never abort the protocol. If the dishonest player refuses to send correctly 
formed messages, the honest player chooses the messages himself. Note that we require the same also from 
the interactive hashing protocol: The one player aborts it, the other terminates the protocol. Indeed, this 
is needed to really satisfy Lemma which does not deal with aborts. By inspection of the protocols, it is 
easy to see that the honest player can indeed simulate all the other players messages in this way. 

To obtain some intuition for the actual protocol, consider the following nai've protocol, which we only 
state informally. It makes use of a 2-universal hash function Ext : {0, 1}"/'' x 7?. — > {0, 1}^. 



31 



Protocol 3': Naive Protocol (informal) 

Outputs: (s^, s{) e {0, 1}^ X {0, 1}^ to Alice, and (c, /) e {0, 1} x {0, 1}^ to Bob 

1: Alice and Bob: Execute WSE. Alice gets a string x" € {0, 1}", Bob a set I C [n] and a string 
s = xx- If \T\ < n/4, Bob randomly adds elements to I and pads the corresponding positions in s 
with Os. Otherwise, he randomly truncates X to size ri/4, and deletes the corresponding values in s. 

2: Alice and Bob: Execute interactive hashing with Bob's input w equal to a description oi I — 
Er\c{w). Interpret the outputs wq and wi as descriptions of subsets Xq and Ii of [n]. 

3: Alice: Chooses ro,ri e_R TZ and sends them to Bob. 

4: Alice: Outputs (sq, sf) := (Ext(a;in , ro), Ext(xij , ri)). 

5: Bob: Computes c G {0, 1} with I = Ic, and xx from s. He outputs (c, y^) := (c, Ext(.s, rc)). 



For now, let us neglect the fact that the outputs of interactive hashing are strings, and assume that the 
subset Ii_c generated by the interactive hashing protocol is uniformly distributed over subsets of size n/4 
not equal to I. The string xxi_^ is then obtained by sampling from the string a;", which by the definition of 
weak string erasure has high min-entropy. We therefore expect the value s{_^ to be uniform and independent 
of Bob's view. This should imply security for Alice, whereas security for Bob immediately follows from the 
properties of interactive hashing. 

In this intuitive argument, we have ignored the fact that the sampling result only applies to blocks, 
and not individual bits. To make use of the sampling results we hence need to make slight modification to 
the simple protocol given above. We partition (where n — /3m) into m blocks of /3 bits each. It will 
be convenient to arrange the bits of a;" into a matrix z £ M[„jx^({0, 1}), where Zj^^ '■= a;(j_i).^+Q. Note, 
however, that we cannot simply sample from the rows of z, since the subset I of bits known to Bob does 
not correspond to the union of certain rows. We therefore allow Bob to permute the entries of z by picking 
a permutation it : [m] x [/3] — > [m] x [/?] such that he knows a subset J C [to] of \ J\ ~ to/4 rows of 7r(z). 
More formally, 

C [m], \J\ = m/4 : if / G J^, a' G [ni] then (j - 1) • /3 + a G T with {j, a) = 7r"\j', a) . (43) 

Bob announces the permutation tt to Alice, and both parties continue to use 7r(z) instead of z. It turns out 
that picking tt at random subject to ()43p ensures that Bob's input to the interactive hashing protocol 
does not reveal any significant information about c to Alice. This will be shown below. 

To use interactive hashing in conjunction with subsets, the actual protocol needs an encoding of sub- 
sets Enc : {0,1}* — > T, where T is the set of all subsets of [m] of size to/4 (we assume without loss of 
generality that to is a multiple of 4). Here we choose t such that 2* < (^4) < 2-2*, and an injective 
encoding Enc : {0, 1}* — > T, i.e., no two strings are mapped to the same subset. Note that this means that 
not all possible subsets are encoded, but at least half of them. We refer to [HI [52] for details on how to 
obtain such an encoding. 
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Protocol 3: WSE-to-FROT 

Parameters: Integers 7i,/3 such that m :— n/f3 is a multiple of 4. Set t m/2. Outputs: {sf^,s\) E 
{0, 1}^ X {0, 1}^ to Alice, and (c,/) G {0, 1} x {0, 1}^ to Bob 

1: Alice and Bob: Execute {n, A, e)-WSE. Alice gets a string x" G {0, 1}", Bob a set Z C [n] and a 
string s — xx- If |I| < ?^/4, Bob randomly adds elements to T and pads the corresponding positions 
in s with Os. Otherwise, he randomly truncates T to the size r7,/4, and deletes the corresponding 
values in s. 

We arrange into a matrix z e Mmx/3({0, 1}), by z^-^q := a;(j_i).^_|_c for (j, a) G [m] x [/?]. 



1. Randomly chooses a string w* G^ {0, 1}* corresponding to an encoding of a subset £.nc{w^) of 
[m] with to/4 elements. 

2. Randomly partitions the n bits of into m blocks of /3 bits each: He randomly chooses a 
permutation tt : [m] x [/3] — [to] x [/3] of the entries of z as in Lemma 12.51 such that he knows 
7r(z)En(-(u,*) (that is, these bits are permutation of the bits of s). Formally, tt is uniform over 
permutations satisfying the following condition: for all (j, a) G [m] x [/3] and a') := Tr{j, a), 
we have {j — 1) ■ P + a E 1 <^ j' e Enc(w*). 

3. Bob sends tt to Alice. 

3: Alice and Bob: Execute interactive hashing with Bob's input equal to w*. They obtain w^,w{ G 
{0, 1}* with G {wl,w{}. 

4: Alice: Chooses ro,ri Gj? TZ and sends them to Bob. 

5: Alice: Outputs := (Ext(7r(z)EncK), J-q), Ext(7r(z)Enc(^), 

6: Bob: Computes c, where — w*, and 7r(z)Enc(u)*) from s. He outputs (c, y^) : = 

(c, Ext(7r(z)Enc(u;'),'^c))- 



Theorem 5.2 (Oblivious transfer). For any constant lj > 2 and (3 > max{67, 256aj^/A^}, the protocol 
WSE-to-FROT implements an (£,41 • 2"^^^-^" + 2e)-F ROT from one instance of of {n,\e)-WSE, where 



Since this work is a proof of principle, we may choose u — 2. However, if we were to look at a more 
practical setting, choosing other values of lo can be beneficial. 

5.3 Security proof 

We first show that the protocol is secure against a cheating Alice. Intuitively, the properties of weak string 
erasure ensure that Alice does not know which bits xi of x" are known to Bob, that is, she is ignorant about 
the index set I. This implies that essentially any partition of the bits is consistent with Alice's view. In 
particular, she does not gain much information from the particular partition chosen by Bob. Finally, the 
properties of interactive hashing ensure that she cannot gain much information about which of the two final 
strings is known to Bob. 

Lemma 5.3 (Security for Bob). Protocol WSE-to-FROT satisfies security for Boh. 

Proof. Let Pa"cy^ denote the joint state at the end of the protocol, where A" is the quantum output 
of a malicious Alice and (C, Y^) is the classical output of an honest Bob. We construct an ideal state 
^A"w^wtc = ^A"w^w( ■^{0,1} tti^'t satisfies pa"cyi^ = ^a"CW^- 



2: Bob: 
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First, we divide a malicious Alice into two parts. The first part interacts with Bob in the WSE protocol, 
after which the state shared by Alice and Bob is pA'Xxi- From the properties of WSE it follows that there 



exists an ideal state a 



such that the reduced state satisfies pA'Xxi — 



A'XxT' 



The second part of Alice takes A' as input and interacts with Bob in the rest of the protocol. To 
analyze the resulting joint output state Pa"cy^ i can use the properties of weak string erasure, and let 
the second part of Alice interact with honest Bob starting from the state o'a'X'^i- protocol outputs a 
where M denotes all classical communication during the protocol. Note that the values 



state (7y 

n, w^, 

{j, a) e [to] X [/?] we have Z 



Wl, Ro and Ri can be computed from M. Let Sf :— Ext(n(Z)E 



nc(lV*); 



Ri) for i G {0, 1}, where for 



X. 



We obtain the state o'A"S*sfcv'* taking the partial trace of 



From the construction of this state and the fact that pa'XxI — 



A'XxI 



it follows directly 



that Pj^i 



aA"CY'' and ^A"S^siCY<^ 



(J A,, qe^iql 



Hence 



PA"CY' - ^A"CSi 



It remains to be shown that Alice does not learn anything about C, that is, cFj^ngegt(j = ^a"s'^S{ 
From the properties of WSE it follows that <yA'x^i ~ A'X^ ®'''2[n] ■ Since Bob randomly truncates/extends I 
such that |I| = n/4, the resulting set I is also uniformly distributed over all subsets of size n/4 and 
independent of A' . Hence, conditioned on any fixed W* — w*, the permutation H is uniform and independent 
of A' . It follows that the string is also uniform and independent of A' and H. From the properties of 
interactive hashing we are guaranteed that C is uniform and independent of Alice's view afterwards, and 
hence, 

""^{0,1}. 



□ 



Second, we show that the protocol is secure against a cheating Bob. We again first give an intuitive 
argument. We have from weak string erasure that Bob gains only a limited amount of information about 
the string AT". The properties of interactive hashing ensure that Bob has very little control over one of the 
subsets of blocks chosen by the interactive hashing. Therefore, by the results on min-entropy sampling. Bob 
has only limited information about the bits of A" in these blocks. Privacy amplification can then be used 
to turn this into almost complete ingorance. 

Lemma 5.4 (Security for Alice). Protocol WSE-to-FROT satisfies security J or Alice with an error of 

41 . 2"^T5-^" + 2e . 

Proof. Let px"B' be the cq-state created by the execution of WSE. From the properties of WSE it follows 
that there exists a state ox^b' such that Hoo(A"|_B')o- > An and px^s ~6 crjfs', which implies that 

ff^(Z|B')p = HL(A"|i?')p > An . 

Recall that our goal is to show that Bob has high min-entropy about the string A" restricted to one of 
the subsets of blocks generated by the interactive hashing protocol. Our first step is to count the subsets of 
blocks which are bad for Alice in the sense that Bob has a lot of information about A" in such blocks. We 
then show that the probability that both sets chosen via the interactive hashing primitive lie in the bad set 
of blocks is exponentially small in n. 

First of all, note that the permutation H is generated by Bob. In particular, if Bob is dishonest, H may 
depend on his quantum information B' . This corresponds to the situation studied in Lemma 12.51 With 
Lemma [^751 we therefore conclude that for the uniforno distribution over subsets S C [m] of size m/4 = \S\ 



Pr 

5 



w+^\n{z)s\suB") < 



1 



An 
T 



< 5' 



(44) 



^"Note that, in the protocol, we do not actually sample from the uniform distribution over subsets; the bound I I44II is merely 
used in a counting argument here to establish that the number of "bad" subsets is limited, cf. I|45|l below. 
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where (5 = 2™^ /(5i2w ) j^n jg Bob's part of the shared quantum state after he has sent 11 to Ahce. Let 
Bad be the set of all subsets of size to/4 that result in small min-entropy, i.e., 



Bad ■.= \S^ [to] \S\ = — and {n{Z)s\SIiB") < 



- 1\ An 



4 oo V V ' \ u ) A. 

Since we have considered the uniform distribution over all subsets of size to/4, we conclude from (j44p that 

\{w' e {0, 1}* I Enc(w*) e Bad}\ < \Bad\ <( "^,}\S''<2- 2*S^. (45) 

\TO/4y 

In the first inequality, we have used the fact that Enc is injective, i.e., every element in the image has exactly 
one preimage. In the last inequality, we used the fact that (^4) < 2 • 2*. By the third property of the 
interactive hashing, we conclude that 

2 • 2*(52 

Pr [Enc(Tyo*) e Bad and Enc(Vl^i*) g Bad] < ^Q—^ — < 32(5^ . (46) 

Let Pzw^wlTiB'" be the shared quantum state after the interactive hashing, where B'" is Bob's part of that 
state. From it follows that there exists a C S {0,1}, or more precisely, there exists an ideal state 
'^zw^w^UB"'c with Pzw^w^UB'" = '^zw^w^UB'" J such that 



Pr 



HL+4*(n(Z)E,c(H/^,)|w^o*w^i*ni?"')* > 



UJ 



- 1\ An 



LO J A 



> 1 - 32S^ . (47) 



Note that Bob may use his quantum state during the interactive hashing, but he cannot increase the proba- 
bility of (j46p this way. Furthermore, any processing may only increase his uncertainty. Let A be the event 
that the inequality in the argument on the Ihs. of (|T7)) holds. Let 

^ZWiW*nB"'CR.oRi '■— ^ZW*W*nB"'C ®Ttz®Tti 

and let 5*0 and S{ be calculated as stated in the protocol. Using the chain rule (see (|16l) ) and the fact that 
{Ro,Ri) are independent, we get 



UJ 



- l\ An 



Yi^^\lV{Z)^,,^^w._JS'cCRoR^WlWllVB"',A), > j—-£-l. 
Using privacy amplification (Theorem 12. 3p . we then have conditioned on the event A that 

2\\^Si-c,ScCRoFi^iW*winB"' - ^asy ® ^ScCflofliW,$VK*nB"'lli < S + 2e + 8S , (48) 

since 

'a; — 1\ nA , „ A^to 

- 2^- 1 > 21ogl/5 = 2 



,4 - o , 5-^20; 

which follows from 

^ ui — l\ An A^TO 1 



2 



i < 



8 512tj2 2 



Let B* := (RoRiW/^WlUB'") be Bob's part in the output state. Since Pt[A] > 1 - 32S^, we get 

^Si-cScB'C ~32<52+95+2£ ^{0,1}* ® ^ScB'C 

and 

CTSoSiS* = PSoSiB' ■ 

Since 5^ < 5, this implies the security condition for Alice, with a total error of at most 41i5 + 2e. □ 
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Finally, we show that the protocol is correct when Alice and Bob are both honest. 
Lemma 5.5 (Correctness). Protocol WSE-to-FROT satisfies correctness with an error of 

3 . < 3 • 2"^^^^" . 

Proof. Let ^ := 2~"/^^. We have to show that the state Ps^s{CY<^ the end of the protocol is 3e-close 
to the given ideal state d'gtgefjgi^. Using the Hoeffding bound [58], the probability that a random subset 
of [n] has less than n/4 elements is at most exp(— n/8) < ^. Hence the probability that Bob has to pad s 
with Os (which are likely to be incorrect) when both parties are honest is is at most ^. Let A be the event 
that this does not happen. It remains to show that the state Ps^siCY'\A 2^-close to the given ideal state 
^S^SfCS'^- Note that the correctness condition of WSE ensures that the state created by WSE is equal to 
PX'^xXx — <^X"XXxj where ax^x — ■''{o.i}" ^ T2". Since Iq and Ii are chosen independently of X", Xx„ and 
are independent and have a min-entropy of n/4 each. Since £ < n/8 < n/4 — 21ogl/^, it follows from 
Theorem 12.31 that Sq and 5*^ are independent and each of them is ^-close to uniform. Furthermore, by the 
same arguments as in Lemma 15.31 we have that C is uniform and independent of 5*0 and 5^ . Hence, 

Since the extra condition on the permutation H implies that Bob can indeed calculate H(Z)epc(M') from Xx, 
we have that = Sq. Using Pr[A] > 1 — we get 

Finally, X < 1, (3 > 1 and oj > 2 give us 1/16 > A^/(512aj^/3) from which the claim follows. □ 

6 Conclusions and open problems 

We have shown that secure bit commitment and oblivious transfer can be obtained with unconditional 
security in the noisy-storage model. We have connected the security of our protocols to the information- 
carrying capacity of the noisy channel describing the malicious party's storage. We found a natural tradeoff 
between the (classical) capacity of the storage channel and the rates at which oblivious transfer and bit 
commitment can be performed: higher noise levels lead to stronger security. 

While the connection between capacities of channels and security turns out to be directly applicable to 
a number of settings of practical interest, our work raises several immediate questions concerning the exact 
requirements for security in the noisy-storage model. Already now our work has sparked a number of new 
works. Our technique of relating security to a coding problem has been used to construct another, simpler, 
protocol for oblivious transfer f54l, albeit at the expense of requiring significantly more noise in memory to 
achieve security. Other channels have been shown to satisfy the strong converse property, and hence lead to 
security in our model [24| . Alternate forms of weak string erasure using high dimensional states have been 
investigated using our techniques to show that in the limit of large n, security in bounded-storage model 
holds as long as a constant fraction of transmitted states is lost (i.e., i/ < 1) [10], and the security of an 
eavesdropper with a noisy memory device in QKD was investigated [B]. A practical implementation is in 
progress 'W . 

Extending security: Clearly, it is desirable to extend the security guarantee to a wider range of noisy 
channels. The limiting factor in obtaining security from a noisy storage described by = J\f^'^'^ was the 
fact that we require the sufficiency condition C^f - v < 1/2 to hold (see Corollarv ll.2|) . where v is the storage 
rate and CV is the classical capacity of M . The constant 1/2 is a result of using BB84-states, and stems 
from a corresponding uncertainty relation using post- measurement information [41] . It is a natural question 
whether we can go beyond this bound using BB84-cncodings. 
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For channels with small classical capacity, our work reduces security to proving a strong converse for 
coding. Of considerable practical interest are continuous-variable channels: our results are also applicable 
in this case, given a suitable bound on the information-carrying capacity. 

A more challenging question is to extend security to entirely different classes of channels than considered 
here. Our results are currently restricted to channels without memory. Possibly the most important class of 
channels to which our results do not apply are those with high classical capacity. This includes for example 
the dephasing channel whose classical capacity is 1. Security tradeoffs for such a channel are known [28] 
for the case of individual storage attacks For the fully general case considered here, it is not a priori 
clear whether small classical capacity is a necessary condition for security: Our security proof overestimates 
the capabilities of the malicious party by expressing his power purely by his ability to preserve classical 
information. Completely different techniques may be required to address this question. 

Another way to extend our security analysis is to combine our protocols with computationally secure 
protocols to achieve security if the adversary either has noisy quantum storage or is computationally bounded. 
This can be achieved by using combiners (see [151 [23 US] ) ■ For oblivious transfer, the same can be achieved 
using the techniques of [8, 5S1[T2J[T3], which only requires the use of a computationally secure bit commitment 
scheme. 

Limits for security: We have found sufficient conditions for security in the noisy-storage model. For 
concrete channels, these conditions give regions in the plane parametrized by the storage rate and the noise 
level (cf. Figure [T]) where security is achievable. Establishing outer bounds on the achievability region 
is an interesting open problem. Corresponding necessary conditions could become practically relevant as 
technology advances. 

Note that when the adversarial player is restricted to individual storage attacks, the optimal attacks are 
known [55 . It is an open problem whether the fully general coherent attacks considered here actually reduce 
the achievability region. In contrast, both kinds of attacks are known to be equivalent in QKD (49j . 

Our work is merely a proof of principle. For practical realizations of our protocols, the following issues need 
to be addressed: 

Efficiency: One can reduce the amount of classical computation and communication needed to execute 
our protocols by using techniques from derandomization. In particular, we could use the constant-round 
interactive hashing protocol and the efficient encoding of subsets from [|19 , randomness-efficient samplers 
(see e.g., [22]), and extractors (see e.g. [56] |35l |57] ) instead of two-universal hash functions. 

In practice, both the security parameter e and the number £ of bits in the commitment or oblivious 
transfer are fixed constants. Savings in communication may then be obtained by using alternative uncertainty 
relations (i.e., generalizations of (fT8|) . which is tight [T| for e = 0). 

Composability: We have shown security of oblivious transfer and bit commitment with respect to security 
definitions that are motivated by composability considerations: This should ensure that the protocols remain 
secure even when executed many times e.g., sequentially. It is, however, an open problem to show formal 
composability in our model as has been done in the setting of bounded-storage [Mll^ . To this end, a nice 
composability framework for our setting needs to be established. 

Robustness: We have considered an idealized setting where the operations of the honest parties are error- 
free. In particular, the communication channel connecting Alice and Bob was assumed to be noiseless. In real 
applications, both the BB84-state preparation by (honest) Alice, the communication, and the measurement 
of (honest) Bob will be affected by noise. To guarantee security even in such a setting, we can apply the 
error-correction techniques of ^55' . However, it remains to determine the exact tradeoff between the amount 
of tolerable noise of the communication channel (parametrized e.g., by the bit error rate) and the amount 
of noise in the malicious player's storage device [13) . 

We conclude with a few speculative remarks on potential applications of our work. Note that, in contrast 
to key distribution, general two-party computation is also interesting at short (physical) distances. An 
example is the problem of secure identification [17] , where Alice wants to identify herself to Bob (possibly 
an ATM machine) without ever giving her password away. Our approach could be extended to realize this 
primitive in a similar way as in [SS] . It would be interesting to find a new and more efficient protocol based 
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directly on weak string erasure. The setting of seciirc identification is especially suitable for our model, since 
the short distance between Alice and Bob implies that their communication channel is essentially error-free. 
At such short range, we could also use visible light for which much better detectors exists than are presently 
used in quantum key distribution. Note that Alice only needs to carry a device capable of generating BB84- 
states and allowing her to enter her password on a keypad. This device does not need to store any information 
about Alice herself and hence each user could carry an identical device which is completely exchangeable 
among different (trusted) users at any time. In particular, this means means that Alice's password is not 
compromised even if the device is lost. Finally, note that Alice's technological requirements are minimal: 
She only needs a device capable of generating BB84-states. This could potentially be small enough to be 
carried on a key chain. 
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A Proofs for min-entropy sampling 

A.l The parameters for sampling — proof of Lemma 12.41 



For the proof of Lemma I2.4[ we first recall the definition of a sampler. 

Definition A.l. An [m,^,^) -aver aging sampler is a probability distribution over subsets S C [m] with the 
property that for all (/ii, . . . , G [0, f]"' we have 



Pr 

s 



1 1 " 



<7 



Choosing subsets of a fixed size at random is a prime example of a sampler; this is the sampler we will 
use. The parameters of this sampler are as follows 

Lemma A. 2. Let s <m and let Pg be the uniform distribution over subsets S C [m] of size \S\ = s. Then 
Ps is an (m,^, 2"^*^ -sampler for every s > and ^ G [0, 1]. 

Proof. Fix s > and ^ e [0, 1] In j32[ Lemma 2.2], Pg was shown to be a (m,^, e^'*^ /^)-sampler. The claim 
then follows from the fact that e^^^'/^ < 2-*«'/2_ □ 

Replacing /imin by Hoc, the following lemma follows directly from [32j Lemma 6.15 and Lemma 6.20]. 
The proof follows the same step as the proof of Theorem 6.18 in |32) . 

Lemma A. 3. Let pz"^Q be a cq-state, where Z™ = {Zi, . . . , Zm) with Zi € {0,1}^, and let Ps be an 

(m,^^j)-averaging sampler supported on subsets S of size s = \S\. Then 
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iZs\SQ)_ ^ H^(Z™|Q) 



s(3 
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whe 



andu^ 2n< 0.15. 

— 



c=i|i^+^ + 2.1ogl/« 



We are now ready to give the 



Proof of Lemma \2.4\ Because of the definition of smooth min-entropy and the fact that partial traces do 
not increase distance, it suffices to establish the claim for e = 0. By Lemma [A. 21 and Lemma [A. 3[ we have 
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{Zs\SQ) U^(Z"-\Q) 



m/3 
Amfi 



> 1 - 2-''«'/4 



where 



(49) 



if K = < 0.06. Here we used the inequalities 



K\ogl/K<y/K for K < 0.06 , 
/3 > 1 , s < m and 



e< 1 
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Note that the condition k < 0.06 is satisfied if s > m/4 and (3 > 67. Setting ^ A/(4a;) and using s > m/4 
again, we get for 256a;^/A^ < /3 that 

A A /I 



A A 



< 




+ — 
4a; 
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2^ ^ 


2uj ^ 





In particular, this implies that 



Hoo(Z"'|Q) 
m/3 



c > A - c > 



w - 1 



(50) 



Combining (gS]), with s^^ = sAV(16w2) > m\^/{Muj'^) and (5 = 2-™-^'/(5i2^') gj^^^gg ^j^g gjaim. □ 
A. 2 Generalized min-entropy sampling — proof of Lemma 12.51 

Proof. By definition of the smooth min-entropy, there exists a (possibly subnormalized) cq-state pzq with 
Z e M„x0({0, 1}) such that 



Ipzq - PzqIIi < 



and 



Hoo(Z|Q)p > A . 

By the monotonicity of the trace distance under CPTPMs, we therefore have 



1, 



PzQ'n — PzQ'nlli < e 



(51) 



(52) 



for the state pzQ'n '■— (Iz )(pzq), and by the fact that CPTPMs can only increase min-entropy (cf. (US])), 

H^(Z|Q'n)p > Hoo(Z|Q)p . (53) 
With (applied to the conditional states PzQ'|n=ir): it is easy to see that 

H,,(n(z)|Q'n)p = Hoo(z|Q'n)p . (54) 

Combining ([51]), dSS]) and gives 

Hoo(n(Z)|Q'n)p-> A . 

Applying Lemma to Pn(z)Q'n (with Q — Q'H, n(Z) instead of Z and e = 0) therefore leads to 
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Hg(n(z)5|Q^n)p 

sl3 



> 



where S = 2-"^'/(5i2-^) 



The claim follows from the monotonicity of the trace distance under CPTPMs and ([5^ . since these imply 



-^\\Pn(z)sQ''a - Pn(z)sQ'n||i 



< £ 



for every subset 5 C [m] 



□ 
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